captive portal certificate update

slybreiz

Hello.

the certificate on our captive portal is about to expire.

I have about 50 servers deployed with this certificate.

how to renew the certificate files on the servers without doing a part one.

where are the certificates on the server in order to make a script to deposit it on the servers.

thank you in advance

Gertjan

Hi,

You use a certificate in your captive portal settings.
Are you really using the same certificate on 50 different (pfSense ? )sites / portals ?
Wow .... the guy how implemented that should reconsider his ideas .....

Tel him this : the acme package exists.
Using this package and certs are renewed automatically.

Btw : You're talking about servers. Are you using the same certicate on those servers ?

Also : true, you could renew the cert on ONE pfSense site using the acme package.
Other threads are already discussing how to deploy certificates, these are just files, on other devices (pfSEnse, or not) but be ware : you will not find them in the captive portal forum because your question has nothing to do with the captive portal.

This question :

@slybreiz said in captive portal certificate update:

where are the certificates

will be answered all by itself because it's mentioned on the settings page of the acme package.

slybreiz

yes the same certificate is used on the pfsense.
they have the same name "HTTPS server name".
it's a terrena certificate.

the version of pfsense is 2.0.3

free4

@slybreiz said in captive portal certificate update:

where are the certificates on the server

in pfsense 2.4.4 (2.0.3 is not supported anymore and has security holes...pls update), each certificate is made of two files :

/var/etc/cert-{nameOfYourCPzone}-portal.pem
/var/etc/ca-{nameOfYourCPzone}-portal.pem

these two files are used by an nginx process (which is the web server for the login page)

these two files are part of the captive portal and are NOT used by the "System->Cert manager" part of pfsense. they are also automatically erased/rewritten every time you re-configure a captive portal zone (pfSense will re-write the value from "System->Cert manager" in the .pem files every time a captive portal reconfig is done).

pfSense Cert Manager is using the main .xml config file to store certificates (located in /conf/config.xml)...meaning your script will need to also modify it in order to fully upgrade your certificate

finally, please note that you will need to restart the captive portal web server (the nginx process) after you changed the certificate, in order to commit/apply your changes

Gertjan

@slybreiz said in captive portal certificate update:

the version of pfsense is 2.0.3

I take this back :

@gertjan said in captive portal certificate update:

Wow .... the guy how implemented that should reconsider his ideas .....

2.0.3...... take out the admin and shoot him (take the direction of the organization with you : same treatment ;)
I understand, no acme package. No fully automized LE certs.
You have to do everything by hand or scripting - as you did before. The old way.

As @free4 said : get your certicate - think about buying the one that last 3 years ^^
Import it in the pfSense cert manager.
Then select it in the captive portal setup.
Do this 50 times.

Btw : Just for fun : ask a pure windows XP question on the main Microsoft OS forum . Let me know what happened ^^

free4

@slybreiz i would recommand you to use PHP in your script ...for update your certificates :

• In order to update the certificate in the config file, you could use cert_import() from certs.inc
• In order to restart the nginx server attched to a captive portal, you could use service_control_restart() function from service-utils.inc. That function will stop a captive portal zone, re-fetch the certificates from the config, and restart the cp zone.