Not serving ca.crt

[adrian-vlad]

I have pixelserv-tls installed along with AB-Solution on my Asus router. For some unknown reason going to http://\<pixelserv ip>/ca.crt returns an empty page with 0 bytes. I was expecting it to start downloading the certificate. Requesting servstats or servstats.txt works with no issue.

I've checked the startup script and it doesn't change the certificate directory (no -z used).

The version of pixelserv is pixelserv-tls: v2.0.1 compiled: Jan 15 2018 17:39:33.

What could be the issue?

[decoderman]

v2.0.1 does not support that url scheme. You'll have to update to the newest version of pixelserv-tls. You can do that through the AB-Solution UI.

[adrian-vlad]

I tried that, but that's the latest version. https://pkg.entware.net/binaries/armv7/Packages.html 2.0.1-1

Anyway, thanks for the answer.

[decoderman]

You could install the beta version, the install command is here: https://kazoo.ga/pixelserv-tls/

Or use amtm to do it: https://www.snbforums.com/threads/amtm-the-snbforum-asuswrt-merlin-terminal-menu-v1-2.42415/

[kvic-z]

@adrian-vlad

You need to upgrade your Entware-ng. Earlier this year, they merged Entware-ng and Entware-3.x into simply Entware. The old repositories are stale and I believe you're getting that.

The latest version is v2.1.1 (that support CA.crt) on all Entware platforms.

[adrian-vlad]

Thank you! Will try that.

[adrian-vlad]

Nice. I reinstalled ab-solution and now it installed the newer Entware and the proper pixelserv version. Thank you!

[darmbrust]

I recently used diversion to set up my rt-ac66u, which all worked perfectly, but I noticed this issue as well. Does diversion not yet install the newer library? Or, is my router just too old, and it isn't being supported by the newer Entware? I'm assuming a workaround to fetch the cert is just to do this: echo -n | openssl s_client -connect 192.168.10.30:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.cert

Hmm, on examination, the cert I got by doing the above echo / download is not the same cert that exists in /tmp/mnt/sda1/entware/var/cache/pixelserv/ca.crt, so now I'm not sure what is going on.

[kvic-z]

Any error messages your browser showed when downloading '/ca.crt'?

[darmbrust]

No, I just get a blank file. Tried pulling it with wget too, just a 0 byte file. But if I understood above, this feature wasn't supported with the 2.0.1 version? That was what got installed for me.

`` Diversion 4.0.6 by thelonelycoder RT-AC66U (mips) FW-380.70 @ 192.168.10.1 38,811 blocked domains 1 hosts file(s) in use 13,930 t 13,911 w 1,289 n ads since Jan 20 05:20

---

d Diversion Standard enabled c communication DivUn stats backup FWun a ad-blocking to IP 192.168.10.30 l logging /opt/var/log/dnsmasq.log ep pixelserv-tls 192.168.10.30 v2.0.1

To be honest, I'm not sure that I care... I was just looking at the pixelserv stats, and there were lots of dropped requests, which I assume are because the client is refusing the cert. I wasn't really sure that I need to care... though I found a thread somewhere that implies the performance would be better, if I imported the cert, so that they could connect / download instead of failing.

[kvic-z]

'/ca.crt' URI is supported since v2.1.0. So in this case with v 2.0.1 receiving a blank page is expected.

I think you have a bigger problem here. Sounds to me you have an old version of Entware that'll never get updated. If that's the case, you can migrate to the latest Entware by doing a fresh installation from scratch.

A quick way to check for updated packages, run e.g. "opkg install pixelserv-tls". The latest version on Entware should be v2.2.0.

Having your CA cert installed on browsing devices that you commonly use certainly improves your browsing experience with better speed and cleaner screen, just to quickly name two benefits.

[darmbrust]

@decoderman I used your great tools to set up this router - is it expected that it would still use an old version of entware? I'm sure I could manually upgrade entware, but I don't want to break diversion, as it just worked so well...

[kvic-z]

Perhaps you can take the question to snbforum thread. Closing the thread.

[decoderman]

@darmbrust MIPS based routers such as the old RT-AC66U uses an unmaintained Entware repository. The latest pixelserv-tls version is the one you have installed. This is outside of my control. The Entware team decided to abandon support for it, probably because of the old kernel version.