Is letsencrypt.Org an option for https captive portal?

jaspras

letsencrypt.Org gives free certificates .  I wonder if anyone tried it with Captive portal and got results most Cp users would love to have….  Https login to Cp plus no security warnings...

felix.wolfsteller

Besides other issues, you will only be able to use the letsencrypt certificates if your "login domain" is publicly resolved to the correct IP.
You cannot create a certificate for "mydomain.local" if you do not actually own that domain. This might already kick out many usage scenarios.

If however you "own" your captive portals FQDN it should be possible to let letsencrypt and your pfsense box create valid certificates, with some crypto- and freebsd-knowledge. I'd assume you would have to write your own blog post about how its done, though :)

Gertjan

Free certificates are never entirely free.

You NEED a domain name, like your-domain.tld that resolves on the net.

Example:
I work for a company, that uses xxxx-hotel-fumel.fr, this domain is used for our mails, site, etc.
I also bought a xxxx-hotel-fumel.net that, when using on the Internet, just points to the same IP as  xxxx-hotel-fumel.fr does. It even has some mails attached to it (like postmaster, abuse, etc).

I used this "xxxx-hotel-fumel.net" when ordering my free certificat @ startssl.com.
I ordered a certificat for this (sub) domain: portal.xxxx-hotel-fumel.net
portal.xxxx-hotel-fumel.net point internally to 192.168.2.1, which is my OPT1 interface, or : my captive portal.

This used this certificat "portal.xxxx-hotel-fumel.net" to enable https authentication on my portal.
Works for years now ;)

Btw: because they are free, I also ordered a "pfsense.xxxx-hotel-fumel.net" (used on my LAN so it points to 192.168.1.1) so I can access the GUI using https. A bit overkill, I guess (GUI traffic goes only over the trusted LAN) but worth it because I better understand the process now.

felix.wolfsteller

Thanks Gertjan for the more "patient" answer, I think it will help many people. However, minor comments:

@Gertjan:

Free certificates are never entirely free.

Well, free certificates are free - you yourself can create as many of them as you want for any domain you want -, but browsers (and other tools) do not trust them without configuration.

@Gertjan:

Btw: because they are free, I also ordered a "pfsense.xxxx-hotel-fumel.net" (used on my LAN so it points to 192.168.1.1) so I can access the GUI using https. A bit overkill, I guess (GUI traffic goes only over the trusted LAN) but worth it because I better understand the process now.

I disagree, you should always enable encryption (for that, the built-in certificate generation will do fine).

cmb

The PITA part of letsencrypt is the short lifetime. If you want a HTTPS portal, pay for a 1-3 year cert. You can get them for about $9 USD/year. It's too cheap to justify the hassle of replacing the cert 4 times a year. Maybe that'll change at some point if automation for letsencrypt certs is implemented.

It's not possible to have a captive portal with HTTPS that doesn't trigger certificate warnings for intercepted HTTPS connections, if that's what you're asking. Say you get a cert for myportal.example.com, then your redirected HTTP connections will work with no cert warning (because the only HTTPS request is to myportal.example.com). But if you're intercepting, say, https://google.com, you're stuck with a cert error because you can't get a cert for google.com and it's impossible to make the clients request your page instead until after they accept the cert error.

blankphoto

@cmb:

The PITA part of letsencrypt is the short lifetime. If you want a HTTPS portal, pay for a 1-3 year cert. You can get them for about $9 USD/year. It's too cheap to justify the hassle of replacing the cert 4 times a year. Maybe that'll change at some point if automation for letsencrypt certs is implemented.

It's not possible to have a captive portal with HTTPS that doesn't trigger certificate warnings for intercepted HTTPS connections, if that's what you're asking. Say you get a cert for myportal.example.com, then your redirected HTTP connections will work with no cert warning (because the only HTTPS request is to myportal.example.com). But if you're intercepting, say, https://google.com, you're stuck with a cert error because you can't get a cert for google.com and it's impossible to make the clients request your page instead until after they accept the cert error.

These arejust the beta certs, after the bate they want the certs to expire.

Derelict

Nope.

They are intended to be automatically renewed and installed by the system.

https://letsencrypt.org/2015/11/09/why-90-days.html

In addition, the 90-day expiration might keep the CRL manageable.

barrio603

@cmb yes you can buy certs for 3 years, but have to replace them every 14 months. Try doing that on 30 firewalls that is crazy management.

Using Let's encrypt on local captive portal would be a huge savings

Gertjan

@barrio603 said in Is letsencrypt.Org an option for https captive portal?:

would be

Your "would be" became a "must have" half a decade or so.
It's 6 years later now. The acme.sh pfSense package took care of things.