Captive Portal "Cannot Verify Server Identity" on non https



  • I do not use a https captive portal page, just http.

    Recently, users are saying their iphones/ipads are prompting the "Cannot Verify Server Identity" popup, with Cancel, Details, Continue.

    I have a couple sites with PFsense, but so far just one reporting this.

    Any ideas?

    Thanks :-)



  • Hi,

    It seems to me to that this is not a pfSense issue.

    Throw "Cannot Verify Server Identity" into Google and check out the first several links.
    You discover that :
    It really looks like it's iOS 8 related …... (which isn't being used any more ..... so does this concern old "I" devices ?)
    It has to do with certificates that the iDevice can not check - certificate to old - not valid - .... etc. The certificate authority went south ?
    Other reason why the device couldn't contact the CA if needed ?
    Also : the "device OS", like any basic navigator on a PC, contains a list with world wide known main CA's. Their 'derived' certificates are trusted.
    I f a certificate didn't match it's URL, is expired, or being withdrawn, or whatever, well, the error pops up. And that's normal. It happens a lot btw... even very big  companies manage to keep and old (expired) certificate on their site ..... From that point, it will 'rain' errors all over the world.
    This means that all works as it should be - except for the guy that manages the site ^^

    When a visitor authenticated against the CP, it - the CP - becomes completely transparent, like any other router that handles ALL your traffic.
    But : I presume that you DO NOT use the CP firewall to block certain CA's  on the net. When I start to block all the IP's from the CA Verisign (example, may exists), well, then my iPhone (and all devices for that matter) start to pop these message ( "Cannot Verify Server Identity" ) all over the place.



  • Thanks.

    There are three sites. Three pfsense firewalls, all using a simple captive portal.

    The users reporting this all have iphone6's, and they only see it at one of the three sites.  iPhone 5's don't seem to be affected, all being on the latest iOS.

    I need to get a screen shot from one of the users from the "details" page before they accept the warning.

    The CP doesn't have a cert, and is not https.  Are you saying that the warning may be generated anyway?  Or is it because the user is trying to access a https site before the CP is triggered?



  • Read https://forum.pfsense.org/index.php?topic=116386.msg645311#msg645311 to see how things should work.

    I didn't saw a different behavior among several iPhone versions (4S, 5, 5S, 6, 6Plus several iPad, etc - all running the latest version - 9.3.5 - with default network settings).

    As soon as a Apple device user accepts a Wifi network, it should receive a popup navigator. They can authentify.
    After that, only your portal's GUI firewall determines what goes through.

    Also, check what is en between "pfsense" and "Internet".

    Ones connected, the pfSense 'portal' isn't any different as the free portal access at McDonalds … (depends what you put in the firewall)



  • OK.

    I think what must be happening is the user is not selecting the WiFi network on their iphone.  It is automatically connecting to the WiFi itself, as it remembers it, but doesn't pop the automatic captive portal browser using the http://captiveportal.apple.com, as the user isn't actively using their phone.  The user then opens a browser to do something, visiting a https page, causing the error?

    If the user connected to a http page, the portal would work correctly.

    I need to have a play to try to replicate the error, just seems odd that every user to report the problem has been using an iphone 6.