adguard cert does not work with work profile

[terrytw]

Please answer the following questions for yourself before submitting an issue.

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

AdGuard version

4.1

Environment

- OS: Android 12
- Device: Xperia 5 II
- Firmware: Latest

Root access

• Yes, I have it.

What filters do you have enabled?

No response

What Stealth Mode options do you have enabled?

No response

Issue Details

The adguard cert seems to only move the last cert to system store.

This leaves a problem, if someone enables work profile, there will be 2 certs, either both in /data/misc/user/0/cacerts-added, or in /data/misc/user/0/cacerts-added and /data/misc/user/10/cacerts-added respectively and adguard only seems to move one of them to the system store.

P.S. If both of them are in /data/misc/user/0/cacerts-added, one of them will end with .1 instead of .0

Expected Behavior

Both regular user (0) and work profile user can have certificates in the system store.

Actual Behavior

For regular user(0) and work profile user, only one of them can have certificate in system store.

Screenshots

Screenshot 1:

Additional Information

No response

[Versty]

@terrytw Hi!
Please check if the issue persists on the latest nightly version. We have made some tweaks to the certificates installation flow recently.

[terrytw]

Dear Diana,

Can you please confirm which verison of adguardcert module should I be using in combination with the lastest nightly Adguard Android? Should I use v2.0-beta4?

[Versty]

@terrytw Yes, please use this version

[terrytw]

@Versty Dear Diana,

I have tried the latest nightly and adguardcert 2.0 beta4, and the problem persists.

If it helps, you can have the dev try https://play.google.com/store/apps/details?id=com.oasisfeng.island&hl=en_US on your test devices to create work profile and see for yourself.

The issue is actually quite straight forward, basically:

1. You can not install cert into work profile's user store, you can only install it in the default user's user store;
2. All users share the same system store.
3. adguardcert module only copies one cert into the system store.

I have no idea how the intermediate cert schematic works. I hope you guys can figure out a way to make it work.
For now I manually move cert from user 0's user store to user 10's user store, and use a modified https://github.com/ngorskikh/adguardcert (cp instead of mv) to address the issue.

[Versty]

@terrytw At this point, certificates work in pair. If one of them is in the system store, the second one must be in the user store for correct HTTPS filtering.

adguardcert module only copies one cert into the system store.

Therefore, this behaviour is intended.

[terrytw]

@Versty Yes, I know it is intended, which creates a legitimate problem: https filtering does not work in work profile.

[Versty]

@terrytw We have discussed this issue with developers and transferred it to the appropriate repository.

[terrytw]

@Versty Dear Diana, any update? I saw that you assigned someone then removed the assignment later. Not asking any ETA, just want to know whether this is still being worked on.

[GodlikeRU]

This is still a problem but I found a workaround. You need root.

1. Using root file manager go to /data/misc/user/0/cacerts-added - this folder contains two adguard certificates installed on your main profile
2. Copy these two into /data/misc/user/999/cacerts-added - this folder is for work profile certs
3. Also copy certs to /system/etc/security/certs - this is system wide cert store
4. Reboot
5. After rebooting there will be notification that new certificates were installed for work profile
6. Adguard cert will now work properly on work profile allowing system wide https filtering in auto proxy root mode. It also works properly with VPN at same time

[terrytw]

Yes I have figured it out as well, thank you for sharing anyway.
Problem is that after Android 11, even with root permission you cannot write to system partition.
I have modified movecert module myself to achieve this.
It is just kinda disappointing that the devs just ignored this.

[GodlikeRU]

@terrytw please share the modified module. It may help people with same problem. and I agree, it's disappointing we still don't have fix from Adguard team. Work profile is getting more and more popular and this will affect more and more people. On Android 10 the above method worked.

[terrytw]

I was going to but it is rather cumbersome. Oh well here it goes
movecert-1.9-new.zip
You will need to modify post-fs-data.sh because work profile user ID can be any number, for you it is 999 for me it is 10.
Also since you cannot install cert to work profile directly, you will need to install it in main profile and move it from /data/misc/user/0/cacerts-added/ to /data/misc/user/10(or whatever you work profile user ID is)/cacerts-added/

[GodlikeRU]

There's also another problem that needs looking into by the devs. Adguard from main profile does not detect apps in the work profile, therefore excluding apps on the work profile from protection is impossible. Most of us uses work profile to sandbox dangerous intrusive apps like Facebook or Instagram and these works with default settings, but this may be a big problem in the future.

While using default VPN connection way maybe two Adguards can work together, but I am using automatic proxy mode with Root, so real 3rd party VPN can work with Adguard too.

[Lhn94]

I was going to but it is rather cumbersome. Oh well here it goes movecert-1.9-new.zip You will need to modify post-fs-data.sh because work profile user ID can be any number, for you it is 999 for me it is 10. Also since you cannot install cert to work profile directly, you will need to install it in main profile and move it from /data/misc/user/0/cacerts-added/ to /data/misc/user/10(or whatever you work profile user ID is)/cacerts-added/

Thanks for the module. I've so I've tried this and got the cert to successfully copied over. After reboot, there was also a notification saying a new system cert was installed. BUT, how do I enable HTTPS filtering in Work profile Adguard? I still saw in Adguard saying HTTPS filtering is not enable and to install a cert. Any idea what is the next step?

[terrytw]

You will need to install 2 adguard, one for main profile one for work profile.

[Lhn94]

Yeah, I meant the work Adguard is showing that HTTPS filtering is not working.

[terrytw]

For latest adguard, you need to make sure that the intermediate cert is still in user store while the other cert is in system store.

[Lhn94]

Yes, they are in the right stores. But my work profile Adguard still doesn't pick up the certs for HTTPS filtering in VPN mode, and proxy mode simply block all connections =<

[GodlikeRU]

You have to be doing something wrong. I have it set in auto proxy mode (ROOT) and HTTPS filtering works on both profiles with certs moved to stores.

EDIT:: If you are using proxy root mode then only ONE AdGuard is required, on the main profile.

[Lhn94]

Finally I've got Adguard to block ads on both profiles in Proxy (Root) Mode, but I'm running into a weird issue when Instagram and Twitter on my Work Profile simply don't load anything/ profiles. These apps work just fine in Main profile. The issue is only present when Adguard is On.
Anyone got an idea on this?