Enabling HTTPS login certificate errors on http redirects
-
Hello,
I am aware of the reasons why you may want to avoid a captive portal, however my employer requires one.
My issue is that I was recently asked to add vouchers and QR code scanning. I have made the portal page and that is working well in local testing, however, I discovered that when deployed to PFSense Google Chrome will not allow access to the camera when a page is served over http. No problem, I added our wildcard cert to PFSense and ticked the 'Enable HTTPS login' along with 'Disable HTTPS forwards' to avoid redirecting https traffic and erroring out.
Enter the strangeness. On a PC, this seems to work fine. On all of the mobiles/androids/iPhones I've been able to test a certificate error is shown for the login page.
PFSense is served from guest-wifi.***school.org.uk
The certificate is a wildcard for ***school.org.uk
The error shown on my Android phone is "This certificate isn't from a trusted authority" - We use Trustico. And my phone is fine and happy with all our other sites hosted with the same cert.I have read this: https://forum.netgate.com/topic/73178/captive-portal-https-login-how-please/4 where they express concern about redirecting from https sites to captive portal, but modern browsers detect CP and send users to http sites like http://www.msftconnecttest.com/redirect or http://www.gstatic.com/generate_204 which shouldn't throw an error?
Is there a way around this issue or is it pure and simple "redirect = bad"?
-
I appear to have solved this issue! I am making this reply should anyone else come across my post.
Trustico do not issue you a copy of their CA Cert as they are built in to modern browsers. I have however exported their CA and Comodo (as it's linked) from my Windows PC and imported them into PFSense, the https login now appears to be working. Hopefully this is helpful to someone!
-
@robinwright said in Enabling HTTPS login certificate errors on http redirects:
I am aware of the reasons why you may want to avoid a captive portal, however my employer requires one.
Captive portals works fine.
Recent devices, for many years now, support them.
No special education is needed to make them work - people don't even know that they use a captive portal.Btw : my employer (myself) also. I'm running a hotel. A captive portal is a must have.
@robinwright said in Enabling HTTPS login certificate errors on http redirects:
Android phone is "This certificate isn't from a trusted authority" - We use Trustico
There it is : you wrote the answer to your question.
You thought your phones were trusting the signer cert (the parrent cert) but they were not.
The cert issue isn't a captive portal issue.
Ok if you use a https login page on the captive portal, but the URL (no IP !) url to this page should use a cert that is trusted by your phone.
If the device - phone does not trust that cert, that is the server cert itself, and the upstream certs CA certs, it will fail.There is an alternative : because you already have (actually : rent) a domain name that you use for the captive portal https login, you could use a Lets-encrypt cert a plan B. Bonus : It's a free set it and forget it solution. The cert will get auto renewed for life. No more annual renewal fees and hassle.
@robinwright said in Enabling HTTPS login certificate errors on http redirects:
"redirect = bad"?
redierct is bad when it concerns https.
http can get redirected at will.
The captive portals - as it's implement right now, are based on http redirect.@robinwright said in Enabling HTTPS login certificate errors on http redirects:
I have however exported their CA and Comodo (as it's linked) from my Windows PC and imported them into PFSense, the https login now appears to be working.
Be careful : Included the CA doesn't make a device trust the entire cert chain.
The final CA must be already present in the device's internal list with "trusted CA's".
If Trustico's CA isn't part of a 'device known trusted cert list', it's game over.
Ok if you import that CA into your device, but then everybody has to do the same thing.I can't see that as an option : handing over a paper to every client visiting our hotel that explains them how to import a (CA) cert so they can use our captive portal. For every possible device, every possible OS ... (thousands).
-
@gertjan Thanks for your helpful reply. As you say, I realised what was going on as I was typing my post.
"I can't see that as an option : handing over a paper to every client visiting our hotel that explains them how to import a (CA) cert so they can use our captive portal. For every possible device, every possible OS ... (thousands)."
I have had the certificate conversation with my employer more than once - they want MITM logging for public devices and I keep saying this just won't happen.
-
@robinwright said in Enabling HTTPS login certificate errors on http redirects:
they want MITM logging for public devices
Have the word 'public' removed.
MITM can work with devices you control and most probably own.
So you will know what happens on devices you control ... quiet logic as it would probably be 'yourself' operating these devices.
Or it could be devices that are given to employees. These are also under your control.
But there is no need to use a captive portals for these devices.A captive portal is meant to be used for unknown - untrusted devices, belong to unknown people, and you want to 'offer' them a Internet connection. These people / devices do not use any local services / resources, just the connection.
@robinwright said in Enabling HTTPS login certificate errors on http redirects:
saying this just won't happen
Well ... he paying your hours, right ?
This isn't like "installing yet another Windows PC". Not the same 'qualification', neither ... ;)
Still : good luck ^^Btw :
Look at https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security most 'big' sites use these HSTS certs these days.
When the device visit ones one of these HSTS sites, the cert is stored for a year or so. A later MITM type of connection gets detected and refused.
MITM is a 24/24 H job, new exceptions will constantly pop up and have to be deal with.