Captive portal certificate chain



  • Has anyone else had problems with IE7 with the captive portal SSL certificates?  I don't have a windows box but I have seen how ie7 works (or doesn't) with self signed and chained ssl stuff; it seems like a monumental pain since I don't think one can accept certificates permanently. 
    I have a purchased certificate that is valid but requires a certificate chain (  what would be something like: ssl.ca-file = "/var/etc/CA_issuing.crt"  in /var/etc/lighty-CaptivePortal-SSL.conf ).  Would this be something useful to add into the captive portal gui?  I started trolling through the php again to see how hard it would be to add if anyone is interested.  I certainly need it at my location so I'm going to at least give it a whirl.



  • So far seems like the simple  "ssl.ca-file = blah.crt"  in /var/etc/lighty-CaptivePortal-SSL.conf works fine for certificate chaining.  I modified the services_captiveportal.php file to accept the certificate chain stuff….it adds it to the xml file but in the wrong place I think, it's not in the section of the other cert info.
    Does anyone have a decent idea of where how the configs are built?  I'm looking at /etc/inc/captiveportal.inc in hopes of setting it up in there but I fear I may not know enough about php....anyone have any pointers?

    nb



  • Not sure I am understanding "chaining" but if you look in /usr/local/www/services_captiveportal.php you can find the code where we store the certificate entered by the user via the webConfigurator.



  • Say I buy a certificate from instantssl (or have my own CA), it's not an accepted certificate since it doesn't come right from thawte or verisign.  IE7 seems to be pretty stupid about these certs.  I like to purchase from instantssl since it's cheaper, and then creating a certificate chain in my httpd which points the browsers up the chain to the correct CA.  It's an edge case really, but I think it's still useful.  I certainly need it since we have some windows/ie7 users here.  I have some of it working, but I'm struggling through it.



  • Oh! Yes, this would be a VERY useful feature.  Just email me with any questions and I'll see what I can do.



  • @sullrich:

    Oh! Yes, this would be a VERY useful feature.  Just email me with any questions and I'll see what I can do.

    Cool.  I actually may have some work cycles that I can dedicate to this since it's related.  I'll probably have some q's for you tomorrow.



  • At the risk of using multiple mechanisms to communicate about the same thing, I have patches that make this work in my environment.  As you know, I sent them to the coreteam@.  I can post them here if others want to see them.

    nb



  • Hi everyone,

    I'm re-opening this thread 'cause it's exactly what I'm looking for  :P

    I already manage to make this "ssl.ca-file" field work for my captive portal by adding it in the "/var/etc/lighty-CaptivePortal-SSL.conf" file and restarting light_http process. Works greatly, no more certificate issuer alert in IE or Firefox.

    But on the next reboot of the pfsense box, no more ssl.ca-file field…. Arrrgh, this file is dynamically created on boot ?

    So I found this thread, but editing the file /etc/inc/captiveportal.inc  (if it is this one) frighten me...

    Thanks for all your help you can afford me...

    Benoit.



  • It requires more than just modifying the /etc/inc/captiveportal.inc file.  I had to modify the system.inc and the system_advanced.php page to make it work well enough to put the certificate in the xml and persist across boots.  The lighthttp conf files are rebuilt at each boot from the xml as far as I remember.  I had it all working but an upgrade a while ago broke it and I never got around to fixing it.  It is on my list of things to fix but it may be a while.  I sent my patches to coreteam@ but I dunno if they added them to -HEAD or not.  I can give you my diffs if you want to take a crack at it, else you're at the mercy of my poor time management or someone on coreteam to make it work. 
    The poor mans work around could be to write a small shell script to run from cron @boot (but after all the services are started) to add that line to the conf file and restart the process.

    nb

    @gbenoit:

    Hi everyone,

    I'm re-opening this thread 'cause it's exactly what I'm looking for  :P

    I already manage to make this "ssl.ca-file" field work for my captive portal by adding it in the "/var/etc/lighty-CaptivePortal-SSL.conf" file and restarting light_http process. Works greatly, no more certificate issuer alert in IE or Firefox.

    But on the next reboot of the pfsense box, no more ssl.ca-file field…. Arrrgh, this file is dynamically created on boot ?

    So I found this thread, but editing the file /etc/inc/captiveportal.inc  (if it is this one) frighten me...

    Thanks for all your help you can afford me...

    Benoit.



  • Buraglio, thanks a lot !!!!!!!

    As I already put the file on the pfsense file system, I just needed to find how to keep the ssl.ca-file in the config file on reboot. Modifying the php web interface file is far from what I'm able to do…...

    And you gave me the file I needed : /etc/inc/system.inc.

    Just for information in case it can afford a temporary solution before the next release incorporating the ssl.ca-file field, here's what I modified in the /etc/inc/system.inc file : I just added the last line :

    $lighty_config .= "## ssl configuration\n";
                    $lighty_config .= "ssl.engine = "enable"\n";
                    $lighty_config .= "ssl.pemfile = "{$g['varetc_path']}/{$cert_location}"\n";
                    $lighty_config .= "ssl.ca-file = "/path/to/my/cert/mycert.pem"\n\n";

    So, Buraglio, thanks to you, I success in getting rid of this IE7 scaring alert (and so all other web-browsers of course ;o).

    Thanks !!!!!
    Benoit.



  • Can I get updated patches to commit this feature?



  • I'll try and get something worked out soon.

    nb

    @sullrich:

    Can I get updated patches to commit this feature?



  • Thanks!  e-mail them to coreteam@ if you get it sorted out.



  • Hmm, I'm trying to get this to work again backporting my patches.  Does the modification of /etc/inc/system.inc like you did work for both the /var/etc/lighty-webConfigurator.conf and the /var/etc/lighty-CaptivePortal-SSL.conf ? 
    Mine works fine for the webgui but not for the Captive portal.  I know it really should be split out into independent options but I want to make it work the way it did originally first and seem to be getting stuck.  Here is what works:

    webgui configuration of the chain file, storage in the xml, writing it to a file in /var/etc/
    system.inc building of the /var/etc/lighty-webConfigurator.conf file with correct parameters.

    certificate chain

    ssl.ca-file = "/var/etc/cert-chain.crt"
    is appended to the conf file and the file /var/etc/cert-chain.crt contains the chain.

    Here is what is still broken:

    /var/etc/lighty-CaptivePortal-SSL.conf adds

    certificate chain

    ssl.ca-file = "/var/etc/1"
    which obviously isn't correct.

    Anyone else wanna take a crack at it as well?  I think it's close.  I attached my diffs.  I'm going to try and keep working on it as well but may get crunched for time.

    nb

    system_advanced.php.diff.txt
    system.inc.diff.txt



  • Well, I only needed the captiveportal-ssl.conf to be filled with the ssl.ca-file field.

    But it seems it has worked for both (see below)

    pwd

    /var/etc

    grep ssl.ca-file *

    lighty-CaptivePortal-SSL.conf:ssl.ca-file = "/var/etc/mycert.pem"
    lighty-webConfigurator.conf:ssl.ca-file = "/var/etc/mycert.pem"

    But in the system.inc file, I didn't use the variable as in ssl.pemfile, I directly put the path to my cert file (not very beautiful, ok ;o)) :

    $lighty_config .= "ssl.pemfile = "{$g['varetc_path']}/{$cert_location}"\n";
          $lighty_config .= "ssl.ca-file = "/var/etc/mycert.pem"\n\n";

    For your dev, it seems the $cert_location is not understood while making the portal-ssl.conf, but why…



  • That is a fine question…..
    I started cleaning up the way it works and have the gui done and working for a unique chain file for the portal and webgui, now all I need to do it make the conf files build correctly and be done with it.

    nb



  • Yeah, it wasn't interpreting the variable.  I changed it to link to the file directly and it works fine.  The file is already written at that point anyway so it shouldn't matter.  Still working on the separation of chain files for system and portal.

    Patches submitted to coreteam@

    nb



  • I think I spoke too soon.  In doing some testing again today, I have found that my mods build the lighttpd files correctly but the redirect no longer works, which is the same behavior I saw before.  Infinitely frustrating.  Back to the code I guess.


Log in to reply