Reply
Member
Posts: 149
Registered: ‎08-15-2016
Kudos: 31
Solutions: 1

Re: Captive portal https certificate error

For guest authentication are you using Hotspot or external portal server?

WiFi Marketing and Analytics for UniFi - MyPlace Connect

Email Capture, Social Login, Visit Frequency, Micro Targeting, TripAdvisor Integration and more
Regular Member
Posts: 445
Registered: ‎05-24-2017
Kudos: 159
Solutions: 12

Re: Captive portal https certificate error


@GeeD3 wrote:

same issue here. i see the cert warning as soon as I connect to our guest network (and before the portal sign in page appears).


It sounds like you have "Redirect https checked" on your guest network settings.  Your device goes to https://somesite.com after connecting to the guest network via wifi and lease and ip addres, it gets redirected to your portal page, and your browser freaks when it finds a cert that is not for https://somesite.com, but rather your portal page at for instance https://yourportal.com:8443/guest/s/deafult/ or even worse a naked IP address https://192.168.1.10:8443/guest/s/default.  There is no fix for this, because this is properly dealing with a man in the middle attack.

 

What you need to do is uncheck "Redirect https" and make sure your portal has a proper signed SSL certificate on it that is being accessed via the name in the cert (DNS needs to be right for this).  Also make sure that "Use secure portal" is checked and the URL for your portal is set w/ the matching name in your cert.

 

Do you really need the secure portal?  If just requiring click through of an AUP I would think not.  If using credit cards, then absolutely.

 

With the above guest network settings when a device such as Android, iOS, recent linux destkop, Windows 10, -- when they connect to the guest network, they will access a predefined site each of these use using an http connection (NOT https) and they check if that results in a redirect action -- when it does get redirected (no security problems with this since no https is being used to test for being behind a portal), the device embraces taking the redirect to the secure portal page -- by now making an https connection to your portal page using the proper URL.  At that point, the browser checks that the cert is valid (and it will be provided the name used to access your portal matches the CN (common name) in your cert and it's properly signed w/ a cert service that the device has the root for it built in) and brings up the portal page with a proper Lock shown that security is good to go and the user can sign up w/ credit card or voucher or click your acceptable use policy etc. to get on.

 

If you do the above, your users will perceive a seamless experience and rest assured the portal page is secure.

 

Hope this helps.

 

It's frustrating to see people bashing UBNT about not fixing this, when time and time again it's been discussed above that there is no fix to redirect https on a devices initial browse action after connecting to a guest network.  All resonably recent devices deliberately check w/ a simple http connection if they are behind a portal and do the right thing if the controller is setup right.  It can be a pain getting the cert onto the controller, but otherwise the setup is pretty painless IMHO using the guest network settings.

 

There are screenshots of both Android and iOS doing seamless guest network portal sign-ins shown in this howto.  This is how I have things setup at several campgrounds that people buy service w/ a credit card or sign in w/ a voucher.

 

https://community.ubnt.com/t5/UniFi-Wireless/HOWTO-Install-Signed-SSL-Certificate-on-Cloudkey-and-us...

 

Good luck!

 

New Member
Posts: 5
Registered: ‎12-06-2018
Solutions: 1

Re: Captive portal https certificate error

Thank you for the thorough reply! I will uncheck "redirect https" and uncheck "use secure portal" as it's for in-home/residential use. Hopefully that resolves it, although I have seen some issues with Chrome timing out the connection.
Regular Member
Posts: 445
Registered: ‎05-24-2017
Kudos: 159
Solutions: 12

Re: Captive portal https certificate error


@GeeD3 wrote:
Thank you for the thorough reply! I will uncheck "redirect https" and uncheck "use secure portal" as it's for in-home/residential use. Hopefully that resolves it, although I have seen some issues with Chrome timing out the connection.

This is a good approach for a home portal.  It only redirects http which will trigger the connection to the portal when the phones check if they are behind a portal by making a connection to http://connectivity-check.xyz.com or similar and then the phone will go to the plain http version of your portal which can be just an IP address such as http://192.168.0.7/guest/s/default which the controller will happily serve over plain http.  No warning and seamless portal setup.

 

Cheers.

 

New Member
Posts: 8
Registered: ‎12-26-2018

Re: Captive portal https certificate error

Thank you for this firefi will do and observe.
Emerging Member
Posts: 45
Registered: ‎09-28-2016
Kudos: 4

Re: Captive portal https certificate error

[ Edited ]

I am torn between redirect https and not.

 

Thing is, https redirect will cause an error, yes.  However, google chrome can detect that a hotspot portal is required but it will not offer to send you there unless you turn on https redirect.  

 

Windows 10 redirecting to the captive portal page can be hit or miss.  Sometimes it does it, sometimes it doesnt.  This is especially a problem when the device auth expires and they need to go back to the portal to re-verify.

 

I tried to setup a secure portal w/ a legit public cert and then turn on https redirection and ran into issues.  Since the device doesnt have internet access its not verifying the legit certificate.  THe intermediate is not shown, although it works fine when the internet is activve.  I am not sure though is this an issue that it cant check for revokation or is it an issue with my intermediate certs?  I did install the positive ssl bundle so I am not sure.

 

I think getting the secure portal working w/ https redirection might be the best bet because even though it wont redirect when the person visits the first https site, i noticed edge will pop up another window with the portal but it doesnt when secure portal is not enabled.

 

EDIT: After some more testing, i dont think using secure portal matters or not.  However, I see no reason to turn off redirect https.  With redirect https turned off, they wont get a cert error but instead they just get a internet down message.  At least with https redirect turned on, edge will open the portal page in a new tab on the latest version of windows 10 and google will propmpt to login using the portal.  With https redirect turned off they just get nothing.  With so many sites defaulting to https now, i feel leaving https redirect turned on is the only option.

 

The problem is the user usually will see the cert error and just give up and call help desk which sucks.

 

How are enterprise level systems handling this like the big cisco ones?  They dont have this issue, ive used them at large corportaions on a BYOD situation so i had no certs, etci nstalled on my device yet i didnt get errors when i tried to visit a https site before authenticating.

 

 

Veteran Member
Posts: 5,050
Registered: ‎06-13-2015
Kudos: 1357
Solutions: 235

Re: Captive portal https certificate error

@mike240se A couple of recommendations:

  • install the SSL cert together with the intermediate certs, otherwise clients will not be able to validate the cert
  • use this tool to check the full cert chain:
  • https://www.geocerts.com/ssl-checker

Also make sure to enable these options:

Use Secure Portal
Redirect using hostname
 
Best leave the Enable HTTPS Redirection option disabled.
Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
Emerging Member
Posts: 45
Registered: ‎09-28-2016
Kudos: 4

Re: Captive portal https certificate error


@slooffmaster wrote:

@mike240se A couple of recommendations:

  • install the SSL cert together with the intermediate certs, otherwise clients will not be able to validate the cert
  • use this tool to check the full cert chain:
  • https://www.geocerts.com/ssl-checker

Also make sure to enable these options:

Use Secure Portal
Redirect using hostname
 
Best leave the Enable HTTPS Redirection option disabled.

 

Thanks as always with the reply Sloof.  

 

I believe the issue I was having is that I was testing it on a brand new VM that had never connected to the internet.  I believe that since it couldnt connect to the internet and never had connected, it couldnt download CRL to see if the certifcate had been revoked but I am not 100% sure.  

 

I tested it again after it had gone online and it had no issues with the certificate of the unifi portal.  Unfortunately since this is an internal only server, I cant use the SSL checker website tools to conifrm but when I open the portal and unifi controller it says the certificate is valid and properly shows the cerfificate chain and shows the intermediate certs in the chain without issue.

 

That being said, what is really the point of using secure portal and redirect using hostname if I am turning https redirect off?  I dont need actual SSL for my portal because its not exchanging confidential info like credit card.  Is there some way this will help with the errors?

 

As I mentioned in my previous post, it seems its actually better to leave https redirect turned on because at least then chrome will tell you to open the portal when you visit an https site and edge will show an error but also open the portal in another tab.  If you turn https redirect off it seems even worse, the user just sees internet not connected errors and chrome wont give them the button to open the portal and edge wont open another tab.  (these seem like they would at least give a better chance of the user seeing the portal then if not).

 

The problem is so many sites now default to https like google that this is going to be more and more of an issue.  It seems we rely almost solely on the client device recognizing the portal is required and opening it now.

 

thanks.

Regular Member
Posts: 445
Registered: ‎05-24-2017
Kudos: 159
Solutions: 12

Re: Captive portal https certificate error


@mike240se wrote:

@slooffmaster wrote:

@mike240se A couple of recommendations:

  • install the SSL cert together with the intermediate certs, otherwise clients will not be able to validate the cert
  • use this tool to check the full cert chain:
  • https://www.geocerts.com/ssl-checker

Also make sure to enable these options:

Use Secure Portal
Redirect using hostname
 
Best leave the Enable HTTPS Redirection option disabled.

 

Thanks as always with the reply Sloof.  

 

I believe the issue I was having is that I was testing it on a brand new VM that had never connected to the internet.  I believe that since it couldnt connect to the internet and never had connected, it couldnt download CRL to see if the certifcate had been revoked but I am not 100% sure.  

 

I tested it again after it had gone online and it had no issues with the certificate of the unifi portal.  Unfortunately since this is an internal only server, I cant use the SSL checker website tools to conifrm but when I open the portal and unifi controller it says the certificate is valid and properly shows the cerfificate chain and shows the intermediate certs in the chain without issue.

 

That being said, what is really the point of using secure portal and redirect using hostname if I am turning https redirect off?  I dont need actual SSL for my portal because its not exchanging confidential info like credit card.  Is there some way this will help with the errors?

 

As I mentioned in my previous post, it seems its actually better to leave https redirect turned on because at least then chrome will tell you to open the portal when you visit an https site and edge will show an error but also open the portal in another tab.  If you turn https redirect off it seems even worse, the user just sees internet not connected errors and chrome wont give them the button to open the portal and edge wont open another tab.  (these seem like they would at least give a better chance of the user seeing the portal then if not).

 

The problem is so many sites now default to https like google that this is going to be more and more of an issue.  It seems we rely almost solely on the client device recognizing the portal is required and opening it now.

 

thanks.


 

The https redirect only redirects clients' initial request to some site and redirects them to the portal which will cause a browser error since you requested say https://google.com and got your portal which is exactly what SSL is designed to prevent!

 

You still want a cert for your portal and the idea is when a device connects to our guest network, the device will do a regular http request (without you even having your browser open) to a known site (android uses http://connectivity-check.static.something I don't remember exact site) to see if behind a portal and if so, accepts the redirect to https://yourcontroller.domain.com:8443/guest/s/default/ and it is THIS request to your portal that is https based and should have a proper certificate for the common name (domain name) of your controller so your browser on your device at that point trusts the portal page and any credit card transaction or voucher use will be over a secure setup.

 

@slooffmaster  settings above are exactly what I use and it works great with modern devices that know to check for a portal automatically with a plain http request.  If you leave https redirect on, it will just confuse people and w/ today's devices doing the check automatically with http you just don't need it!  You seem to think the device's request to some https site initially via browser once connected is somehow tied to sending you to the portal -- this is exactly what we avoid and devices handle it by checking after connecting to a guest network w/o you having to surf at all by visiting a known plain http site and allowing the redirect to your https secured portal.

 

Hope this helps clarify.

 

Highlighted
New Member
Posts: 2
Registered: ‎08-11-2017

Re: Captive portal https certificate error

UniFi Controller 5.10.17 on Windows 10 Machine.

I have created a subdomain (unifi.example.de) and the provider has automatically issued me a Lets Encrypt certificate.

I have a PRIVATE KEY, the CERTIFICATE and a INTERMEDIATE CERT.

U Need the following programs:

Keystore Explorer and OpenSSL

 

Step 1: create a textfile in "C:\Program Files\OpenSSL-Win64\bin\unifi.txt" with the Private Key, Certificate and the Intermediate Cert like this

-----BEGIN PRIVATE KEY-----

text text text

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

tex text text from Cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

text text text from intermediate Cert

-----END CERTIFICATE-----

 

Step 2: Start C:\Program Files\OpenSSL-Win64\bin\openssl.exe as admin and run the following command:

pkcs12 -export -in unifi.txt -out unifi.p12

 

Step 3:

Open Keystore-File form Unifi in KeyStore-Explorer (password: aircontrolenterprise)

C:\Users\%USER NAME%\Ubiquiti UniFi\Data

 

Step 4: Import Key Pair

C:\Program Files\OpenSSL-Win64\bin\unifi.p12

Password is aircontrolenterprise and Alias "unifi"

If it asks to overwrite click 'YES' -> Restart Controller

 

Step 5: Settings on UniFi Controller

Use Secure Portal - YES

Redirect Using Hostname: https://unifi.example.de

 

Step 6: DNS Settings

C:\Windows\System32\drivers\etc\hosts

IP-Adress     Hostname "unifi.example.com"

and if necessary, set the dns settings in your router.

 

First of all, I forgot the intermediate Cert and got an error in Google Chrome on Mobile Devices (Android).

After i added the Cert in unifi.txt the error has disappeared.

 

Reply