HTTPS cert issues and Firefox blocking of some sites

Dolfi

Banned
Hi,

I understand that AdGuard uses MITM "attack" to check HTTPS.
What I do not understand: I cannot load some pages (example: startpage.com) in Firefox when HTTPS scanning is enabled.
Error message:
This Connection is Untrusted
[...]
www.startpage.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
whilst others just warn and present the link "I understand the risks" where I can add an exception (example: www.google.com.

1) where to get the "root CA" of AdGuard to install to the trusted cert issuers list to circumvent these (useless) warnings?
2) why are some sites blocked completely whilst others just warn? The AG cert is (yet) untrusted on any site?
3) most important: How to be warned about sites that really have bad/outdated/untrusted certs when using HTTPS scanning?


Thank you
 

Dolfi

Banned
Hi Boo,

I found that KB article, it does answer question 1 and 3 (I only read the 1st paragraph bc that handeled (unsuccessfully) my issue).
I still was curious about #2?
 
Last edited by a moderator:

Dolfi

Banned
Install Self-Signed Certificates as an iOS Configuration Profile

To whom it may be of interest: Installing that cert on an iDevice works great using "Tip #2 – Install Self-Signed Certificates as an iOS Configuration Profile" from this site.
I have HTTPS filtering w/o nags on my iPad now.
 

avatar

Administrator
Staff member
Administrator
1) where to get the "root CA" of AdGuard to install to the trusted cert issuers list to circumvent these (useless) warnings?
2) why are some sites blocked completely whilst others just warn? The AG cert is (yet) untrusted on any site?
3) most important: How to be warned about sites that really have bad/outdated/untrusted certs when using HTTPS scanning?
1. Root CA is generated when you first use Adguard. If you delete %programdata%\NetworkTemp folder it will be generated once more time.

2. Could you please check that the cert for startpage.com is generated by Adguard?
Maybe you use another software doing the same (I mean filtering HTTPS)?

3. We check if certificate is valid. And if cert is not valid or it is self-signed - we do not filter the connection.
 

Dolfi

Banned
1. Root CA is generated when you first use Adguard. If you delete %programdata%\NetworkTemp folder it will be generated once more time.

2. Could you please check that the cert for startpage.com is generated by Adguard?
Maybe you use another software doing the same (I mean filtering HTTPS)?

3. We check if certificate is valid. And if cert is not valid or it is self-signed - we do not filter the connection.
1. Thank you, that helps and explains much (see my upcoming feature request ;)).
2. Yes it was signed by AdGuard. Now that I imported the AG root CA everything is fine (couldn't the installer offer to do such? Made the life of simple users way easier).
3. don't let the advertisers get to know that ;)
 

avatar

Administrator
Staff member
Administrator
1. Thank you, that helps and explains much (see my upcoming feature request ;)).
2. Yes it was signed by AdGuard. Now that I imported the AG root CA everything is fine (couldn't the installer offer to do such? Made the life of simple users way easier).
3. don't let the advertisers get to know that ;)
2. It's not that simple with Firefox. The cert is imported on Adguard's protection startup but it's crucial that Firefox should not be running at the same time. If Firefox is running than this imported cert is ignored.

Installer has "Close Firefox" checkbox checked by default to handle this.

3. The browser will block the request and show "invalid cert" page, so nothing to worry about:)
 

Rian

Beta Tester
I am getting Certificate error when i log into outlook.com using firefox and cyberfox.... I reinstalled the latest beta but still i got this error......anyway just now i closed adguard completely and reopend again issue seems to be solved... i will keep an eye on this
 

Rian

Beta Tester
Ok it happened again.... i can assure you it didn't happened before. I can log into outlook but if i open something or just select sent mail or anything i get the certificate error(tested in cyberfox) but If i disable adguard then everything is fine with outlook
 
Top