HTTPS cert issues and Firefox blocking of some sites

Discussion in 'Technical Support (AdGuard for Windows)' started by Dolfi, Nov 22, 2014.

  1. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Hi,

    I understand that AdGuard uses MITM "attack" to check HTTPS.
    What I do not understand: I cannot load some pages (example: startpage.com) in Firefox when HTTPS scanning is enabled.
    Error message:
    whilst others just warn and present the link "I understand the risks" where I can add an exception (example: www.google.com.

    1) where to get the "root CA" of AdGuard to install to the trusted cert issuers list to circumvent these (useless) warnings?
    2) why are some sites blocked completely whilst others just warn? The AG cert is (yet) untrusted on any site?
    3) most important: How to be warned about sites that really have bad/outdated/untrusted certs when using HTTPS scanning?


    Thank you
     
  2. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,213
  3. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Hi Boo,

    I found that KB article, it does answer question 1 and 3 (I only read the 1st paragraph bc that handeled (unsuccessfully) my issue).
    I still was curious about #2?
     
    Last edited by a moderator: Nov 22, 2014
  4. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Install Self-Signed Certificates as an iOS Configuration Profile

    To whom it may be of interest: Installing that cert on an iDevice works great using "Tip #2 – Install Self-Signed Certificates as an iOS Configuration Profile" from this site.
    I have HTTPS filtering w/o nags on my iPad now.
     
  5. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,895
    1. Root CA is generated when you first use Adguard. If you delete %programdata%\NetworkTemp folder it will be generated once more time.

    2. Could you please check that the cert for startpage.com is generated by Adguard?
    Maybe you use another software doing the same (I mean filtering HTTPS)?

    3. We check if certificate is valid. And if cert is not valid or it is self-signed - we do not filter the connection.
     
  6. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    1. Thank you, that helps and explains much (see my upcoming feature request ;)).
    2. Yes it was signed by AdGuard. Now that I imported the AG root CA everything is fine (couldn't the installer offer to do such? Made the life of simple users way easier).
    3. don't let the advertisers get to know that ;)
     
  7. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,895
    2. It's not that simple with Firefox. The cert is imported on Adguard's protection startup but it's crucial that Firefox should not be running at the same time. If Firefox is running than this imported cert is ignored.

    Installer has "Close Firefox" checkbox checked by default to handle this.

    3. The browser will block the request and show "invalid cert" page, so nothing to worry about:)
     
  8. Rian

    Rian Beta Tester

    Joined:
    Jun 6, 2014
    Messages:
    137
    I am getting Certificate error when i log into outlook.com using firefox and cyberfox.... I reinstalled the latest beta but still i got this error......anyway just now i closed adguard completely and reopend again issue seems to be solved... i will keep an eye on this
     
  9. Rian

    Rian Beta Tester

    Joined:
    Jun 6, 2014
    Messages:
    137
    Ok it happened again.... i can assure you it didn't happened before. I can log into outlook but if i open something or just select sent mail or anything i get the certificate error(tested in cyberfox) but If i disable adguard then everything is fine with outlook
     
  10. mysteriously

    mysteriously Beta Tester & Translator

    Joined:
    May 4, 2014
    Messages:
    508