Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Captive portal in Pfsense 2.1 + external SSL which needs certificate chain

    Captive Portal
    5
    6
    5126
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JuanjoAI last edited by

      Hello All,

      I have a captive portal implementation with PFSense 2.1. For that, we issued a startssl cert, but all browsers inform about wrong certificate.

      I've tried to import the certificate chain file but this is never parsed as it. That is, the lighty conf file is never generated with the line:

      $lighty_config .= "ssl.ca-file = "/path/to/my/cert/mycert.pem"\n\n";

      I guess this would be possible only using the web configurator, but I've tried all combinations I imagined … without success.

      Also, I'm sure this would be possible by modifying *.inc files but I cannot figure out how to do this, because I cannot understand related functions and cannot find documentation about this.

      Please, do someone have the correct procedure for Pfsense 2.1 or code patches to be applied to *.inc files?

      Thank you very much

      Best!

      1 Reply Last reply Reply Quote 0
      • R
        Reiner030 last edited by

        Hi,

        @JuanjoAI:

        I have a captive portal implementation with PFSense 2.1. For that, we issued a startssl cert, but all browsers inform about wrong certificate.

        I've tried to import the certificate chain file but this is never parsed as it. That is, the lighty conf file is never generated with the line:

        I guess you must do it the pound/mailserver way and I have implemented it for pfSense OpenVPN in some equivalent way…

        You must  load your "cert" not only with your cert, but also with intermediate cert(s).

        Important is the sequenze...
        In browser you see the structure toplevel -> intermediate (1..n) -> final cert.
        In this "file" it must be other way... final cert -> intermediate (n..1).
        The root CA itself must be available/implemented in all browsers and so is not needed in this chain.

        1 Reply Last reply Reply Quote 0
        • J
          JuanjoAI last edited by

          Hello!

          Many thanks for your help. Finally, with pfSense 2.1 I need to:

          • Import StartSSL CA certificate in CAs section of System -> Certificate Manager

          • Import StartSSL Class1 Server CA certificate in CAs section of System -> Certificate Manager

          • Import StartSSL issued certificate for us & private key in Certificates section of System -> Certificate Manager

          Then you can configure a captive portal using issued certificate and the browser will not complaint about certificate errors. The automatically generated lighty configuration file is OK:

          ssl.pemfile = "/var/etc/cert-wifi_corp_zone-portal.pem"

          ssl.ca-file = "/var/etc/ca-wifi_corp_zone-portal.pem"

          All the best!

          JuanjoAI

          @Reiner030:

          Hi,

          @JuanjoAI:

          I have a captive portal implementation with PFSense 2.1. For that, we issued a startssl cert, but all browsers inform about wrong certificate.

          I've tried to import the certificate chain file but this is never parsed as it. That is, the lighty conf file is never generated with the line:

          I guess you must do it the pound/mailserver way and I have implemented it for pfSense OpenVPN in some equivalent way…

          You must  load your "cert" not only with your cert, but also with intermediate cert(s).

          Important is the sequenze...
          In browser you see the structure toplevel -> intermediate (1..n) -> final cert.
          In this "file" it must be other way... final cert -> intermediate (n..1).
          The root CA itself must be available/implemented in all browsers and so is not needed in this chain.

          1 Reply Last reply Reply Quote 0
          • M
            miken32 last edited by

            I had this same issue with alphaSSL.

            One thing to note is that if you put the correct certificate pair in, the "Issuer" column on the certificate page will be filled in with the CA that you added. I had pasted in the wrong CA and clients were still getting a certificate error because "Issuer" was listed as "external".

            This is pretty high on the search results so hopefully this info helps someone else.

            1 Reply Last reply Reply Quote 0
            • H
              heper last edited by

              check this sticky post … it explains the process fairly well
              https://forum.pfsense.org/index.php?topic=63791.0

              1 Reply Last reply Reply Quote 0
              • L
                letonphat1988 last edited by

                To solve this issue forever you must add the CA cert to Pfsense GUI and restart the Captive Portal Services

                Step: Cert Manager –> CAs Tab --> Create a new records --> fill up "Certificate data" with CA Cert --> use IE or FireFox to test https url

                Note: don't use Chrome because it can handle this case

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy