Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal + https + certificates

    Scheduled Pinned Locked Moved Captive Portal
    8 Posts 3 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CallFromUSA
      last edited by

      Hello,

      I just created a certificate on my pfsense, the reason for this was because I saw that when I go to youtube or any other https site I cannot connect. But after I created my certificate I get this error  in my webbrowser. What should I do?

      ERROR MESSAGE:

      **Your connection is not secure

      The owner of support.mozilla.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

      This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

      Learn more…

      support.mozilla.org uses an invalid security certificate.

      The certificate is not trusted because it is self-signed.
      The certificate is only valid for internal-ca

      Error code: SEC_ERROR_UNKNOWN_ISSUER**

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        When YOU create a certificate on your pfSense, YOU could trust this certificate.
        But, by default, you browser doesn't.
        So, tell you browser it's ok, by accepting it ones.

        What happens is that you go to a https://support.mozilla.org via your portal.
        Your portal intercepts the https "call", and gives your browser another page - your https login page with YOUR certificate.
        Your certificates tells a lot to the browser, but one thing will NOT please your browser : your certificate isn't for "support.mozilla.org", but for "internal-ca".

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • C
          CallFromUSA
          last edited by

          @Gertjan:

          When YOU create a certificate on your pfSense, YOU could trust this certificate.
          But, by default, you browser doesn't.
          So, tell you browser it's ok, by accepting it ones.

          What happens is that you go to a https://support.mozilla.org via your portal.
          Your portal intercepts the https "call", and gives your browser another page - your https login page with YOUR certificate.
          Your certificates tells a lot to the browser, but one thing will NOT please your browser : your certificate isn't for "support.mozilla.org", but for "internal-ca".

          The problem is I do not get any accept message on my browser. Also is this the only way by which https sites can be accessed by pfsense?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            That is because browser manufacturers are protecting users from themselves by making it harder to just click through certificate errors.

            Just turn off https interception. Let those connections hang.

            Two choices:

            1. Let connections to https sites hang and make your users have to connect to an http site to get the portal page.

            2. Intercept https connections, display your portal page, and deal with all the ramifications of being an https man-in-the-middle with certificate errors, browser protections, installing your certificate as trusted for your user's bank because they clicked the wrong thing, HSTS, pinned certificates, etc.

            Every browser manufacturer is doing everything they can to make what you are trying to do harder. Just don't.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C
              CallFromUSA
              last edited by

              @Derelict:

              That is because browser manufacturers are protecting users from themselves by making it harder to just click through certificate errors.

              Just turn off https interception. Let those connections hang.

              Two choices:

              1. Let connections to https sites hang and make your users have to connect to an http site to get the portal page.

              2. Intercept https connections, display your portal page, and deal with all the ramifications of being an https man-in-the-middle with certificate errors, browser protections, installing your certificate as trusted for your user's bank because they clicked the wrong thing, HSTS, pinned certificates, etc.

              Every browser manufacturer is doing everything they can to make what you are trying to do harder. Just don't.

              Hello thanks for your reply,

              1)Thanks for this tip I configured http://www.google.com as the first website for them to go to right after authentication.

              1. Any Idea on how to configure pfsense captive portal so that it can connect to https websites i am a bit stuck…..
              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                @CallFromUSA:

                1)Thanks for this tip I configured http://www.google.com as the first website for them to go to right after authentication.

                Ok.
                So you made it very clear : you didn't understand the issue yet.
                When the Captive Portal becomes 'transparent' (because the user authenticated) there is more https (SSL) issue.
                The right redirect action would be : redirect them to https://www.google.fr !!

                BEFORE authentication, when the "https" captive portal is used (with YOUR certificates signed by a recognized authority, or your self) the browser will find
                YOUR certificate
                or
                The user wants to visit https://his-bank.com (and thus receiving a certificate that the site is actually "https://his-bank.com")
                Which won't happen - because with the portal your are acting as "a man in de middle" (wikipedia this concept and your done).
                and the browser will signal this - whatever you do.

                @CallFromUSA:

                1. Any Idea on how to configure pfsense captive portal so that it can connect to https websites i am a bit stuck…..

                Because you are fighting the SSL end-to-end concept.
                Don't.
                You can't.
                Read again what Derelict stated just above. As soon as you understood it, you're done.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Two choices:

                  1. Let connections to https sites hang and make your users have to connect to an http site to get the portal page.

                  2. Intercept https connections, display your portal page, and deal with all the ramifications of being an https man-in-the-middle with certificate errors, browser protections, installing your certificate as trusted for your user's bank because they clicked the wrong thing, HSTS, pinned certificates, etc.

                  Third choice:

                  1. Disable captive portal. Let the users connect and go.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • C
                    CallFromUSA
                    last edited by

                    @Derelict:

                    Two choices:

                    1. Let connections to https sites hang and make your users have to connect to an http site to get the portal page.

                    2. Intercept https connections, display your portal page, and deal with all the ramifications of being an https man-in-the-middle with certificate errors, browser protections, installing your certificate as trusted for your user's bank because they clicked the wrong thing, HSTS, pinned certificates, etc.

                    Third choice:

                    1. Disable captive portal. Let the users connect and go.

                    Thanks I too option 1 I added https://google.fr and it works.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.