error with https login

  • Hi all.
    I just configured pfsense with captive portal. If i enable https login i have a problem with mobile phones. These device stuck connection on and not working. I don't have a problem with laptop. If i disable https login work fine.

  • Hi,

    "https login" : where did the certificate came from ? Self signed ? From Letsencrypt (== acme package) ?
    => Self signed certs should not be used on a captive portal, except if you want to guide every user every time you're whole live - and you probably wont. Use "real" certs, or stay away from "https" login mode.

    Your are mentioning "mobile phones" but can you be more specific ? iOS (iPad - Iphone , etc ) ? Anfroid ? (and so, which age / generation, etc) ?

    All recent devices, even the Micorosft OS's like "10" (and 8 and 7) and "Server", etc will throw out a "hidden http://..." (like your request to see if a known answer comes back. You can see for yourself : : it return a simple "Success" word. This URL is used by Apple devices.
    If the reply is any different as "Success" then the device (the OS, actually) assumes a portal, and launches abrowser for you, so the end user ( == you) can interact what might be a portal.

    I presume that your device (== OS) throws out " " to detect the presence of a portal, but something didn't worked out well.
    I've some good - and bad news : this isn't probably not a pfSense problem ^^ (try an iPhone, it will work right away ^^).

  • Hi. I imported a public wild card in pfsense and i created in dns forwarder a dns override for https hostname. This host name is pfsense address.

  • So, when the portal login page comes up, you have the "green lock", right ?

    edit : Btw : I checked my captive portal (pfsense) log files.
    I found many, many URL like " " because many of my users - portal visitors - use android devices (or what they are actually - I can't tell). It works for me ... sorry, them.

    You use the derfault built in login page ? If not, activate it to test drive.

  • On laptop i view verified certificate but on mobile phone i receive a warning.

  • Humm.
    I tend to say : the mobile phone does not "contain" the correct list with trusted certificates. This will provoke a big "https == No-go" in this case.

    Options :
    Install / use a corticate that your mobile phone trusts.
    Or :
    If it can be done : upgrade your mobile phone (OS's, when upgrading, also upgrade their trusted certs lists - these change constanly).
    Or :
    Do not use your mobile phone on your portal.

  • I insert all crl server and server in allowed host on captive portal configuration. Now work fine with https login and mobile phone.


  • Adding "" to the allowed host list doesn't seem a good idea to me.
    This URL is probably member of the http challenge page that the OS is using to check if a portal is present.
    When white listing this URL (an IP) the OS will conclude no portal is present, and a direct connection to the net is available. The user will get directed the the captive portal login page when another http request to somewhere else passes by.

    See also

Log in to reply