Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is letsencrypt.Org an option for https captive portal?

    Scheduled Pinned Locked Moved Captive Portal
    9 Posts 7 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jaspras
      last edited by

      letsencrypt.Org gives free certificates .  I wonder if anyone tried it with Captive portal and got results most Cp users would love to have….  Https login to Cp plus no security warnings...

      1 Reply Last reply Reply Quote 0
      • F
        felix.wolfsteller
        last edited by

        Besides other issues, you will only be able to use the letsencrypt certificates if your "login domain" is publicly resolved to the correct IP.
        You cannot create a certificate for "mydomain.local" if you do not actually own that domain. This might already kick out many usage scenarios.

        If however you "own" your captive portals FQDN it should be possible to let letsencrypt and your pfsense box create valid certificates, with some crypto- and freebsd-knowledge. I'd assume you would have to write your own blog post about how its done, though :)

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          Free certificates are never entirely free.

          You NEED a domain name, like your-domain.tld that resolves on the net.

          Example:
          I work for a company, that uses xxxx-hotel-fumel.fr, this domain is used for our mails, site, etc.
          I also bought a xxxx-hotel-fumel.net that, when using on the Internet, just points to the same IP as  xxxx-hotel-fumel.fr does. It even has some mails attached to it (like postmaster, abuse, etc).

          I used this "xxxx-hotel-fumel.net" when ordering my free certificat @ startssl.com.
          I ordered a certificat for this (sub) domain: portal.xxxx-hotel-fumel.net
          portal.xxxx-hotel-fumel.net point internally to 192.168.2.1, which is my OPT1 interface, or : my captive portal.

          This used this certificat "portal.xxxx-hotel-fumel.net" to enable https authentication on my portal.
          Works for years now ;)

          Btw: because they are free, I also ordered a "pfsense.xxxx-hotel-fumel.net" (used on my LAN so it points to 192.168.1.1) so I can access the GUI using https. A bit overkill, I guess (GUI traffic goes only over the trusted LAN) but worth it because I better understand the process now.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • F
            felix.wolfsteller
            last edited by

            Thanks Gertjan for the more "patient" answer, I think it will help many people. However, minor comments:

            @Gertjan:

            Free certificates are never entirely free.

            Well, free certificates are free - you yourself can create as many of them as you want for any domain you want -, but browsers (and other tools) do not trust them without configuration.

            @Gertjan:

            Btw: because they are free, I also ordered a "pfsense.xxxx-hotel-fumel.net" (used on my LAN so it points to 192.168.1.1) so I can access the GUI using https. A bit overkill, I guess (GUI traffic goes only over the trusted LAN) but worth it because I better understand the process now.

            I disagree, you should always enable encryption (for that, the built-in certificate generation will do fine).

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              The PITA part of letsencrypt is the short lifetime. If you want a HTTPS portal, pay for a 1-3 year cert. You can get them for about $9 USD/year. It's too cheap to justify the hassle of replacing the cert 4 times a year. Maybe that'll change at some point if automation for letsencrypt certs is implemented.

              It's not possible to have a captive portal with HTTPS that doesn't trigger certificate warnings for intercepted HTTPS connections, if that's what you're asking. Say you get a cert for myportal.example.com, then your redirected HTTP connections will work with no cert warning (because the only HTTPS request is to myportal.example.com). But if you're intercepting, say, https://google.com, you're stuck with a cert error because you can't get a cert for google.com and it's impossible to make the clients request your page instead until after they accept the cert error.

              B 1 Reply Last reply Reply Quote 0
              • B
                blankphoto
                last edited by

                @cmb:

                The PITA part of letsencrypt is the short lifetime. If you want a HTTPS portal, pay for a 1-3 year cert. You can get them for about $9 USD/year. It's too cheap to justify the hassle of replacing the cert 4 times a year. Maybe that'll change at some point if automation for letsencrypt certs is implemented.

                It's not possible to have a captive portal with HTTPS that doesn't trigger certificate warnings for intercepted HTTPS connections, if that's what you're asking. Say you get a cert for myportal.example.com, then your redirected HTTP connections will work with no cert warning (because the only HTTPS request is to myportal.example.com). But if you're intercepting, say, https://google.com, you're stuck with a cert error because you can't get a cert for google.com and it's impossible to make the clients request your page instead until after they accept the cert error.

                These arejust the beta certs, after the bate they want the certs to expire.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Nope.

                  They are intended to be automatically renewed and installed by the system.

                  https://letsencrypt.org/2015/11/09/why-90-days.html

                  In addition, the 90-day expiration might keep the CRL manageable.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • B
                    barrio603 @cmb
                    last edited by

                    @cmb yes you can buy certs for 3 years, but have to replace them every 14 months. Try doing that on 30 firewalls that is crazy management.

                    Using Let's encrypt on local captive portal would be a huge savings

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @barrio603
                      last edited by

                      @barrio603 said in Is letsencrypt.Org an option for https captive portal?:

                      would be

                      Your "would be" became a "must have" half a decade or so.
                      It's 6 years later now. The acme.sh pfSense package took care of things.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • I infosoporte referenced this topic on
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.