certificates not recognized as valid

imTHAI / docker-pixelserv-tls

9 stars 1 forks source link

certificates not recognized as valid #4

Closed charettepa closed 2 years ago

charettepa commented 3 years ago

followed process and extracted the generated crt and key both files are dated april 26 2021

it is working on some ads however not on https specifically g.doubleclick.net

certificates not recognized as valid this causes the add to not resolve as a pixel and instead gives the same banner as before stating the link could not be loaded what needs to be done to insert valid certificates?

imTHAI commented 3 years ago

it is working on some ads however not on https

Dude, the certificate is used only on https. So how it can work on some ads that are not https ?!

If it is not recognised as valid, it means you didn't put the corresponding root certificate in your browser/OS. Please read again the process. If you need I explain steps more in details, tell me your browser/OS.

Now I'm using pfsense/pfblockerNG but I just tried docker-pixelserv-tls with firefox (86.0.1) under archlinux and it perfectly works.

charettepa commented 3 years ago

Right, I understand that cert is for https only I was just stating that pixelsrv is working for http

I did not realize that I needed the cert per machine in browser or at OS level my understanding was that this was for network level and that the certs were needed for pixelsrv in the pixelsrv docker

I have just checked the directions on the code page @ https://github.com/imTHAI/docker-pixelserv-tls I must be misunderstanding as it only lists the need for cert in the docker and not in browser r OS

I will try to add the cert to one of my machines

imTHAI commented 3 years ago

Yes you have to put the ca.crt as an "official" root certificate in your OS and/or browser ( for example with firefox it's the browser level, in the settings). So next time you visit a page with ads, the advertising is loaded from for example https://adscompany.blah/bannerXYZ.jpg but adscompany.blah is redirected to pixeliserv-tls (if you configured correctly your dns to filter ads), pixelserv-tls generates a new certificate for adscompany.blah (generates only the first time u visit the website, next time it's generated already) then it loads the fake 1pixel webpage, and your browser won't give you an alert saying the certificate is invalid because every certificate generated-at-fly are validated by the root certificate ca.crt

imTHAI commented 3 years ago

https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate