Issue with Certificate

[SC0d3r]

Hi! Tnx for you awesome work

Issue:

Certificate installs but every page in chrome gives certificate error

and I dont have access to script.google.com so I need this to work to be able to create my own app in google

after running mhrvs-rs and then setting proxy to http://127.0.0.1:8085 every site (even google.com) gives

Your connection is not private
Attackers might be trying to steal your information from www.google.com (for example, passwords, messages, or credit cards). Learn more about this warning
net::ERR_CERT_AUTHORITY_INVALID

I even set the cert manually in firefox in settings but still firefox gives the same certificate error

certs are created in /root/.config/mhrv-rs/ca

$ sudo ls /root/.config/mhrv-rs/ca
ca.crt	ca.key

How to fix this?

Read for more info

---

System:

Ubuntu 20.04.6 LTS

mhrv-rs version:

$ ./target/release/mhrv-rs --version
mhrv-rs 1.5.0

I build from source via cargo build --release --features ui

Some outputs when runnsing mhrv-rs

$ ./target/release/mhrv-rs
2026-04-26T04:28:13.482253Z  INFO RLIMIT_NOFILE = 65536/1048576 (soft/hard), was 1024/1048576 at startup
2026-04-26T04:28:13.482294Z  WARN mhrv-rs 1.5.0 starting (mode: google_only)
2026-04-26T04:28:13.482307Z  INFO HTTP proxy   : 127.0.0.1:8085
2026-04-26T04:28:13.482318Z  INFO SOCKS5 proxy : 127.0.0.1:8086
2026-04-26T04:28:13.482329Z  WARN google_only bootstrap: direct SNI-rewrite tunnel to 216.239.38.120 only. Open https://script.google.com in your browser (proxy set to 127.0.0.1:8085), deploy Code.gs, then switch to apps_script mode.
2026-04-26T04:28:13.487466Z  INFO Loaded MITM CA from /home/sck/.config/mhrv-rs/ca/ca.crt
2026-04-26T04:28:13.487541Z  INFO MITM CA appears to be trusted.
2026-04-26T04:28:13.487699Z  WARN Listening HTTP   on 127.0.0.1:8085 — set your browser HTTP proxy to this address.
2026-04-26T04:28:13.487711Z  WARN Listening SOCKS5 on 127.0.0.1:8086 — xray / Telegram / app-level SOCKS5 clients use this.
2026-04-26T04:28:55.616539Z  INFO dispatch clientservices.googleapis.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:28:55.616599Z  INFO SNI-rewrite tunnel -> clientservices.googleapis.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
2026-04-26T04:28:55.657412Z  INFO dispatch safebrowsingohttpgateway.googleapis.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:28:55.657436Z  INFO SNI-rewrite tunnel -> safebrowsingohttpgateway.googleapis.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
2026-04-26T04:28:56.008265Z  INFO dispatch optimizationguide-pa.googleapis.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:28:56.008303Z  INFO SNI-rewrite tunnel -> optimizationguide-pa.googleapis.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
2026-04-26T04:28:56.195397Z  INFO dispatch clientservices.googleapis.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:28:56.195433Z  INFO SNI-rewrite tunnel -> clientservices.googleapis.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
2026-04-26T04:28:56.521829Z  INFO dispatch accounts.google.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:28:56.521864Z  INFO SNI-rewrite tunnel -> accounts.google.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
2026-04-26T04:28:56.524700Z  INFO dispatch script.google.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:28:56.524732Z  INFO SNI-rewrite tunnel -> script.google.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
2026-04-26T04:28:56.536963Z  INFO dispatch search.google.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:28:56.537000Z  INFO SNI-rewrite tunnel -> search.google.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
...

installing cert manually:

$ ./target/release/mhrv-rs --install-cert
2026-04-26T04:36:43.800138Z  INFO Loaded MITM CA from /home/sck/.config/mhrv-rs/ca/ca.crt
2026-04-26T04:36:43.800184Z  INFO Installing CA certificate on linux...
2026-04-26T04:36:43.800205Z  INFO Detected Linux distro family: debian
2026-04-26T04:36:43.800240Z  WARN direct install failed — retrying with sudo.
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.
2026-04-26T04:36:45.285203Z  INFO CA installed via sudo.
2026-04-26T04:36:45.286135Z  INFO CA installed. You may need to restart your browser.

result on scan ips

$ ./target/release/mhrv-rs scan-ips 
2026-04-26T04:40:24.901557Z  INFO RLIMIT_NOFILE = 65536/1048576 (soft/hard), was 1024/1048576 at startup
2026-04-26T04:40:24.901591Z  INFO fetch_ips_from_api disabled, using static fallback
Scanning 28 Google frontend IPs (SNI=www.google.com, timeout=4s)...

IP                        LATENCY   STATUS
-------------------- ------------   -------
216.239.38.120              391ms   OK
216.239.32.120                  -   timeout
216.239.34.120                  -   timeout
216.239.36.120                  -   timeout
216.58.212.142                  -   timeout
142.250.80.142                  -   timeout
142.250.80.138                  -   timeout
142.250.179.110                 -   timeout
142.250.185.110                 -   timeout
142.250.184.206                 -   timeout
142.250.190.238                 -   timeout
142.250.191.78                  -   timeout
172.217.1.206                   -   timeout
172.217.14.206                  -   timeout
172.217.16.142                  -   timeout
172.217.22.174                  -   timeout
172.217.164.110                 -   timeout
172.217.168.206                 -   timeout
172.217.169.206                 -   timeout
34.107.221.82                   -   timeout
142.251.32.110                  -   timeout
142.251.33.110                  -   timeout
142.251.46.206                  -   timeout
142.251.46.238                  -   timeout
142.250.80.170                  -   timeout
142.250.72.206                  -   timeout
142.250.64.206                  -   timeout
142.250.72.110                  -   timeout

1 / 28 reachable. Fastest:
  216.239.38.120 (391 ms)

To use the fastest, set "google_ip" in config.json to the top result above.

output when running via mhrv-rs-ui

I started the mhrv-rs-ui and then installed cert

2026-04-26T04:48:15.450314Z  INFO config: attempting fallback load from config.json
2026-04-26T04:48:15.450504Z  INFO Both the glow and wgpu renderers are available. Using glow.
2026-04-26T04:48:15.453389Z  WARN error setting XSETTINGS; Xft options won't reload automatically
2026-04-26T04:48:15.528719Z  INFO Guessed window scale factor: 1.0833333333333333
2026-04-26T04:48:35.332585188Z  [ui] installing CA...
2026-04-26T04:48:35.339087Z  INFO Loaded MITM CA from /home/sck/.config/mhrv-rs/ca/ca.crt
2026-04-26T04:48:35.339119Z  INFO Installing CA certificate on linux...
2026-04-26T04:48:35.339271Z  INFO Detected Linux distro family: debian
2026-04-26T04:48:35.339316Z  WARN direct install failed — retrying with sudo.
2026-04-26T04:48:36.824255Z  INFO CA installed via sudo.
2026-04-26T04:48:36.825243959Z  [ui] CA install ok

Clicking on check ca gives in green

CA appears trusted on this machine.

just afew lines of output when running start with google-only

here I open the browser (chrome via)

google-chrome --proxy-server="http://127.0.0.1:8085"

and every page gives certificate error (and for firefox i use the extension Proxy Toggle and manually added crt file in settings but still gives cert error)

some outputs of mhrv-rs-ui when opening the chrome:

2026-04-26T04:51:16.218137Z  INFO dispatch cdnjs.cloudflare.com:443 -> raw-tcp (direct) (google_only: no relay)
2026-04-26T04:51:16.244207Z  INFO plain-tcp passthrough -> www.aparat.com:443
2026-04-26T04:51:16.569788Z  INFO dispatch content-autofill.googleapis.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:51:16.569806Z  INFO SNI-rewrite tunnel -> content-autofill.googleapis.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
2026-04-26T04:51:16.821393Z  INFO dispatch content-autofill.googleapis.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:51:16.821410Z  INFO SNI-rewrite tunnel -> content-autofill.googleapis.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
2026-04-26T04:51:17.499057Z  INFO dispatch content-autofill.googleapis.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:51:17.499071Z  INFO SNI-rewrite tunnel -> content-autofill.googleapis.com:443 via 216.239.38.120 (outbound SNI=www.google.com)
2026-04-26T04:51:17.862544Z  INFO dispatch content-autofill.googleapis.com:443 -> sni-rewrite tunnel (Google edge direct)
2026-04-26T04:51:17.862563Z  INFO SNI-rewrite tunnel -> content-autofill.googleapis.com:443 via 216.239.38.120 (outbound SNI=www.google.com)

and some outputs from google-chrome proxy in terminal

$ google-chrome --proxy-server="http://127.0.0.1:8085"
libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
[66655:66660:0426/082618.729412:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082618.745767:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082618.746541:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082618.747197:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082618.784013:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082618.830794:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082618.848471:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082619.154955:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082619.250921:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082619.866714:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202
[66655:66660:0426/082620.716763:ERROR:ssl_client_socket_impl.cc(877)] handshake failed; returned -1, SSL error code 1, net_error -202

[therealaleph]

Hi @SC0d3r — two layered issues here:

1. You're on v1.5.0 (built from source). Current is v1.6.4 — major cert-handling improvements landed in v1.6.0+. Please upgrade first (git pull && cargo build --release --features ui) before chasing the cert problem; some of this may already be fixed.

2. The cert-trust path on Linux:

The "MITM CA appears to be trusted" message in your log only checks the system OpenSSL trust store at /etc/ssl/certs/. Chrome on Linux does not use that store — it has its own NSS database at ~/.pki/nssdb/. Same for Firefox: ~/.mozilla/firefox/<profile>/cert9.db. That's why the CA install reports success but the browser still rejects.

The --install-cert path in v1.5.0 only updates /etc/ssl/certs/ via update-ca-certificates. v1.6.0+ has additional Linux paths but I'm not 100% sure they cover NSS; let's get you on v1.6.4 and re-test.

If after upgrading the cert error persists, install into NSS manually:

# Chrome / Chromium
sudo apt install libnss3-tools  # if not already installed
mkdir -p ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "mhrv-rs CA" -i ~/.config/mhrv-rs/ca/ca.crt

# Verify
certutil -d sql:$HOME/.pki/nssdb -L | grep mhrv

# Restart Chrome (full quit, all windows)

For Firefox: open about:preferences#privacy → Certificates → View Certificates → Authorities → Import → select ~/.config/mhrv-rs/ca/ca.crt → check "Trust this CA to identify websites" → OK. Then restart Firefox.

Also: notice the path mismatch in your output. You wrote sudo ls /root/.config/mhrv-rs/ca shows ca.crt, but mhrv-rs (running as user sck) loads from /home/sck/.config/mhrv-rs/ca. Those are two different CAs. If you ran --install-cert once with sudo it created /root/.config/...; if you then ran mhrv-rs as your user, it generated a fresh CA at /home/sck/.config/... and uses that one. You need to install the CA mhrv-rs is currently using, which is /home/sck/.config/mhrv-rs/ca/ca.crt (per the load log line Loaded MITM CA from /home/sck/.config/mhrv-rs/ca/ca.crt).

Try the upgrade-first path. If still broken on v1.6.4, paste back the output of certutil -d sql:$HOME/.pki/nssdb -L after the certutil -A step, plus a fresh log line from ./target/release/mhrv-rs showing which CA path it loads.

---

_{[reply via Anthropic Claude | reviewed by @therealaleph]}