Captive portal in Pfsense 2.1 + external SSL which needs certificate chain



  • Hello All,

    I have a captive portal implementation with PFSense 2.1. For that, we issued a startssl cert, but all browsers inform about wrong certificate.

    I've tried to import the certificate chain file but this is never parsed as it. That is, the lighty conf file is never generated with the line:

    $lighty_config .= "ssl.ca-file = "/path/to/my/cert/mycert.pem"\n\n";

    I guess this would be possible only using the web configurator, but I've tried all combinations I imagined … without success.

    Also, I'm sure this would be possible by modifying *.inc files but I cannot figure out how to do this, because I cannot understand related functions and cannot find documentation about this.

    Please, do someone have the correct procedure for Pfsense 2.1 or code patches to be applied to *.inc files?

    Thank you very much

    Best!



  • Hi,

    @JuanjoAI:

    I have a captive portal implementation with PFSense 2.1. For that, we issued a startssl cert, but all browsers inform about wrong certificate.

    I've tried to import the certificate chain file but this is never parsed as it. That is, the lighty conf file is never generated with the line:

    I guess you must do it the pound/mailserver way and I have implemented it for pfSense OpenVPN in some equivalent way…

    You must  load your "cert" not only with your cert, but also with intermediate cert(s).

    Important is the sequenze...
    In browser you see the structure toplevel -> intermediate (1..n) -> final cert.
    In this "file" it must be other way... final cert -> intermediate (n..1).
    The root CA itself must be available/implemented in all browsers and so is not needed in this chain.



  • Hello!

    Many thanks for your help. Finally, with pfSense 2.1 I need to:

    • Import StartSSL CA certificate in CAs section of System -> Certificate Manager

    • Import StartSSL Class1 Server CA certificate in CAs section of System -> Certificate Manager

    • Import StartSSL issued certificate for us & private key in Certificates section of System -> Certificate Manager

    Then you can configure a captive portal using issued certificate and the browser will not complaint about certificate errors. The automatically generated lighty configuration file is OK:

    ssl.pemfile = "/var/etc/cert-wifi_corp_zone-portal.pem"

    ssl.ca-file = "/var/etc/ca-wifi_corp_zone-portal.pem"

    All the best!

    JuanjoAI

    @Reiner030:

    Hi,

    @JuanjoAI:

    I have a captive portal implementation with PFSense 2.1. For that, we issued a startssl cert, but all browsers inform about wrong certificate.

    I've tried to import the certificate chain file but this is never parsed as it. That is, the lighty conf file is never generated with the line:

    I guess you must do it the pound/mailserver way and I have implemented it for pfSense OpenVPN in some equivalent way…

    You must  load your "cert" not only with your cert, but also with intermediate cert(s).

    Important is the sequenze...
    In browser you see the structure toplevel -> intermediate (1..n) -> final cert.
    In this "file" it must be other way... final cert -> intermediate (n..1).
    The root CA itself must be available/implemented in all browsers and so is not needed in this chain.



  • I had this same issue with alphaSSL.

    One thing to note is that if you put the correct certificate pair in, the "Issuer" column on the certificate page will be filled in with the CA that you added. I had pasted in the wrong CA and clients were still getting a certificate error because "Issuer" was listed as "external".

    This is pretty high on the search results so hopefully this info helps someone else.



  • check this sticky post … it explains the process fairly well
    https://forum.pfsense.org/index.php?topic=63791.0



  • To solve this issue forever you must add the CA cert to Pfsense GUI and restart the Captive Portal Services

    Step: Cert Manager –> CAs Tab --> Create a new records --> fill up "Certificate data" with CA Cert --> use IE or FireFox to test https url

    Note: don't use Chrome because it can handle this case


Log in to reply