Reply
New Member
Posts: 7
Registered: ‎03-23-2016
Accepted Solution

Captive portal https certificate error

Hi,

 

i have setup a Unifi AP captive portal with http redirect to http://www.example.com site, which works fine when the user navigates into any http page.

The problem is that most android devices, uses https://google.com as home page, so when a user opens the browser, the page goes into timeout.

I used the config.properties file with the following lines:

config.redirect_https=true
config.redirect_to_https=true

and the result is that now the user gets a certificate error.

 

I need a workaround on this. I know this is a known issue because of the https nature, but i havent found a solution that works.

If the solution requires to install custom certificate, i would like some help on that with instructions.

 

Thank you very much.

 


Accepted Solutions
Ubiquiti Employee
Posts: 4,788
Registered: ‎06-18-2015
Kudos: 1461
Solutions: 446

Re: Captive portal https certificate error

Hi @WifiCatalogue - welcome to the community!

Installing a trusted certificate will allow the user to land on the HTTPS portal page without a warning, but you will still receive a warning when the user accesses an HTTPS website in the first place.

In essence, the captive portal is interrupting and redirecting communication to another server, which in turn is identified (and in reality, actually is) a MITM attack by the browser.

Implementing a workaround for this, if it were possible, would essentially be a security exploit.

UBNT_Alternate_Logo.png
Ubiquiti Networks Enterprise Support Team


UniFi Protect: UniFi Protect Help Center | Frequently Asked Questions

UniFi Video 3: UniFi Video Help Center | UFV3 User Guide


View solution in original post


All Replies
Emerging Member
Posts: 52
Registered: ‎06-24-2014
Kudos: 2

Re: Captive portal https certificate error

>but i havent found a solution that works.<

No wonder: There is none.

Only, in case you can install your cert  on all the clients, you have some chance.

However, even then, because of HSTS, this will not always work.

 

Ubiquiti Employee
Posts: 4,788
Registered: ‎06-18-2015
Kudos: 1461
Solutions: 446

Re: Captive portal https certificate error

Hi @WifiCatalogue - welcome to the community!

Installing a trusted certificate will allow the user to land on the HTTPS portal page without a warning, but you will still receive a warning when the user accesses an HTTPS website in the first place.

In essence, the captive portal is interrupting and redirecting communication to another server, which in turn is identified (and in reality, actually is) a MITM attack by the browser.

Implementing a workaround for this, if it were possible, would essentially be a security exploit.

UBNT_Alternate_Logo.png
Ubiquiti Networks Enterprise Support Team


UniFi Protect: UniFi Protect Help Center | Frequently Asked Questions

UniFi Video 3: UniFi Video Help Center | UFV3 User Guide


New Member
Posts: 7
Registered: ‎03-23-2016

Re: Captive portal https certificate error

Thank you very much for your prompt reply.

New Member
Posts: 1
Registered: ‎05-08-2016

Re: Captive portal https certificate error

 
Emerging Member
Posts: 66
Registered: ‎01-10-2013
Kudos: 5

Re: Captive portal https certificate error

Great help Cody, do you know if device manufacturers are working on this from the CNA ?
Get real-time information about customers. Track new / return visits, identify peak visit times and create a customer mailing list.

Seamless software integration with the UniFi Cloud Controller for guest authentication and customer analytics (no flashing required) Check it out
New Member
Posts: 21
Registered: ‎12-26-2016
Kudos: 2
Solutions: 2

Re: Captive portal https certificate error

I understand the security risks associated with doing this (and breaking it) - however, is there a way to configure the captive portal to *allow* all HTTPS traffic?  It appears that the two options are to *redirect* the traffic (and thus get a certificate error), or to *drop* the traffic (and thus get timeouts in the orginal HTTPS request).

 

I understand that in doing so, there would be no way to trigger the user to log in to the captive portal when they use HTTPS - but is it possible to configure that way, and wait for them to go to a non-HTTPS site before triggering their "captivity"?

Regular Member
Posts: 446
Registered: ‎05-24-2017
Kudos: 162
Solutions: 12

Re: Captive portal https certificate error

[ Edited ]

There is a very effective solution to this -- see the 3rd post in this thread:

 

https://community.ubnt.com/t5/UniFi-Wireless/HOWTO-Install-Signed-SSL-Certificate-on-Cloudkey-and-us...

 

As shown in my screenshots both Android and iphone when they connect to an open wifi network, they try a connection to a known http site that google and apple have to see if they get redirected -- if they see they are behind a portal, they follow the redirect.  On Android you'll get a notification on the window shade "sign into network" and on Apple it just takes you right to the sign-in page -- seamless!!!

 

Some older androids don't do this (particularly Samsung), but these are getting less and less as people's devices get updated with newer Android releases.

 

I take it a step further in my thread explanation above where I install a signed cert on the cloud key and tell the captive portal to redirect to https on the cloud key so when people need to put in credit card data to sign up for access, they are on a trusted encrypted session.  On my deployments that have this setup, I don't have the problem of google being opened by default and https being redirected because I leave https redirect OFF.  But I do redirect http to an https page right on the cloud key and use a specific URL that is the CN for the cert installed on the cloud key -- two different things!

 

Hope this helps somehow.

 

Cheers.

 

New Member
Posts: 21
Registered: ‎12-26-2016
Kudos: 2
Solutions: 2

Re: Captive portal https certificate error

Thank you for the details on setting that up - that is one thing I was trying to get going (the secure captive portal for logging in).

 

However, this doesn't address the issue with the redirection to the captive portal.  So - for example, with the following steps:

 1 - User connects (using Windows) to the guest network and doesn't immediately log in

 2 - They open a browser and go to "https://www.example.com"

 3 - Depending on whether you have "Enable HTTPS Redirection" checked:

     a - (if unchecked), the gateway just drops the request - browser eventually times out

     b - (if checked), the gateway terminates the SSL and "pretends" to be www.example.com and issues a 302 redirect

 

The problem is in 3b...this will always produce a certificate error - even if it's a signed certificate, because the subject name for that cert will *NOT* match "www.example.com" (or whatever site you go to).  The SN for that cert (by default) is just "ubnt".

 

Once you get past *that* SSL cert request, you can send to the secure portal as you describe in your thread.  At *that* point, there should be no more certificate errors.

 

So - the question I have is if there is an option for a "3c"...which is to just allow HTTPS while in the "captive" scenario.  I'm fine with redirecting requests to http://www.example.com to my secure portal (which, with your instructions should not give a certificate error) - but if people go to https://www.example.com, I just want to allow that through.

 

Is this something that could be achieved with firewall rules or some other way (i.e. config.gateway.json)?

Regular Member
Posts: 446
Registered: ‎05-24-2017
Kudos: 162
Solutions: 12

Re: Captive portal https certificate error


@Toonetown wrote:

Thank you for the details on setting that up - that is one thing I was trying to get going (the secure captive portal for logging in).

 

However, this doesn't address the issue with the redirection to the captive portal.  So - for example, with the following steps:

 1 - User connects (using Windows) to the guest network and doesn't immediately log in

 2 - They open a browser and go to "https://www.example.com"

 3 - Depending on whether you have "Enable HTTPS Redirection" checked:

     a - (if unchecked), the gateway just drops the request - browser eventually times out

     b - (if checked), the gateway terminates the SSL and "pretends" to be www.example.com and issues a 302 redirect

 

The problem is in 3b...this will always produce a certificate error - even if it's a signed certificate, because the subject name for that cert will *NOT* match "www.example.com" (or whatever site you go to).  The SN for that cert (by default) is just "ubnt".

 

Once you get past *that* SSL cert request, you can send to the secure portal as you describe in your thread.  At *that* point, there should be no more certificate errors.

 

So - the question I have is if there is an option for a "3c"...which is to just allow HTTPS while in the "captive" scenario.  I'm fine with redirecting requests to http://www.example.com to my secure portal (which, with your instructions should not give a certificate error) - but if people go to https://www.example.com, I just want to allow that through.

 

Is this something that could be achieved with firewall rules or some other way (i.e. config.gateway.json)?


 

Allowing https to just go through defeats the purpose of the captive portal no?  If you just allow all https to go through to the original site, people will get on and surf various https sites with no need to sign in or sign up for your network?  As long as they stay on https they enjoy wide open free use of your network...  if they happen to hit an http site theyll get redirected.  That doesn't make much sense to me (not trying to sound evil here LOL!)

 

As Cody said you can't redirect an https request to somewhere like google.com and take it to your captive portal page (even with signed cert) because your browser will get annoyed when it tried to go to https google and it gets something different!  Android phones won't even let you go beyond the security warning that it shoves in the users face Man Sad

 

I think the best option is to NOT redirect https.

When you have devices like iphones and android connect, they automatically go to your http or https (when a signed cert is in there are no errors or warnings) portal and life is good.

 

For your scenario above -- they connect to the network with windows wifi supplicant.

If they use the edge browser that comes with windows 10 -- like android and apple edge automatically checks if it's behind a portal and takes you to your captive portal page.  Microsoft has jumped on this bandwagon as a solution for everything going to https these days -- the browser just automatically checks with a known http site that MS has for Edge, an http Apple site for iOS devices, and an http google site for Android -- it does this behind the scenes.

 

For windows 7 and older stuff -- I have an instruction page that I have my customers hand out to end users -- a very simple instruction single sheet that says 1. connect to the right SSID.  2. Start a web browser such as chrome or firefox or whatever -- if it defaults to some https thing it will come up and the page will not load but I instruct them to 3. click in the address bar and delete whatever is there and explicity type in http://example.com and the redirect to the portal happens (in my case to https://propernameindns.domain.com on the cloud key captive portal page) and they can then pay with credit card or use a voucher.  This even works for people with Roku devices or other wifi sharing devices that need to authenticate with the portal before they can share the wireless connection like some folks do at a hotel or in an RV camper.  Roku calls it hotel mode since most hotels use a captive portal.

 

That's the best I can come up with -- good luck!

 

New Member
Posts: 21
Registered: ‎12-26-2016
Kudos: 2
Solutions: 2

Re: Captive portal https certificate error

[ Edited ]

firefi wrote:

 

Allowing https to just go through defeats the purpose of the captive portal no?  If you just allow all https to go through to the original site, people will get on and surf various https sites with no need to sign in or sign up for your network?

 

Yes - this is exactly the case.  The main difference between you and me is that I don't care if they go through Man Wink  I use the captive network for software testing and QA (to test if the products I develop can work appropriately from behind a captive network).

 

I am just looking for ways to reproduce actual (real) captive networks that we've seen out there (and this actually is one - where they just allow HTTPS traffic and only redirect HTTP to the captive portal).

 

I *do*, however like your tutorial you posted...I followed it for my home network, and it works like a charm!  Thank you for that!

Regular Member
Posts: 446
Registered: ‎05-24-2017
Kudos: 162
Solutions: 12

Re: Captive portal https certificate error


@Toonetown wrote:

firefi wrote:

 

Allowing https to just go through defeats the purpose of the captive portal no?  If you just allow all https to go through to the original site, people will get on and surf various https sites with no need to sign in or sign up for your network?

 

Yes - this is exactly the case.  The main difference between you and me is that I don't care if they go through Man Wink  I use the captive network for software testing and QA (to test if the products I develop can work appropriately from behind a captive network).

 

I am just looking for ways to reproduce actual (real) captive networks that we've seen out there (and this actually is one - where they just allow HTTPS traffic and only redirect HTTP to the captive portal).

 

I *do*, however like your tutorial you posted...I followed it for my home network, and it works like a charm!  Thank you for that!


 

Ahhh -- OK LOL.  Yup -- you have a reason to allow https through.  Cool!

 

I'm thinking a json file on to the gateway to try and mess with the firewall rules to allow https through may be the way to go.  This I don't have experience with so can't help you there.  If you figure it out certainly share Man Happy

 

The gateway is edge router based and the firewall IMHO isn't too configurable from the controller, but I'm sure they'll make that better as time goes on.  Haven't really dug into that part too much as most of my sites the defaults for various configurations work well including the rules they setup to let user base VPN through (pptp or l2tp) and site to site VPN stuff.

 

Cheers.

 

New Member
Posts: 2
Registered: ‎05-03-2018

Re: Captive portal https certificate error

Just bought and configured 2 unifi AP, and having this error, how can I correct this without having to buy and configure an SSL, we are running on version 3.8.3.6587.

 

 

Member
Posts: 140
Registered: ‎02-04-2014
Kudos: 7
Solutions: 2

Re: Captive portal https certificate error

After 3-years, is there a fix for this yet

Emerging Member
Posts: 52
Registered: ‎06-24-2014
Kudos: 2

Re: Captive portal https certificate error

No way out: There is no fix. Unless, as I stated above already, you are able  to install your cert on all clients.

But even then, because of certificate pinning and HSTS there will still be some sites (google, fb etc., depending upon browser) , for which even this cert installation  on users device will not be sufficient.

 

 

 

Regular Member
Posts: 446
Registered: ‎05-24-2017
Kudos: 162
Solutions: 12

Re: Captive portal https certificate error


@babajaga wrote:

No way out: There is no fix. Unless, as I stated above already, you are able  to install your cert on all clients.

But even then, because of certificate pinning and HSTS there will still be some sites (google, fb etc., depending upon browser) , for which even this cert installation  on users device will not be sufficient.

 

 

 


I agree -- there is no fix because redirecting https does exactly what https was designed to guard against -- a man in the middle manipulating things.  Google for instance gets pretty upset when you go to https://google.com and get something that isn't a google server!  

 

It's interesting they even offer to redirect https but in some cases it can be useful.  I never redirect https to avoid strange warnings that freak out average users.

 

Most people implementing a captive portal the solution is to redirect just http and setup a secure portal at a valid https address with proper certificate.  Most devices now including Windows 10 automatically check once connected to an open network if it is behind a portal (by visiting a pre-defined http address that is always http).  When the OS sees that the test http connection is being redirected it will then present the portal page (on Apple, and linux and others) or do a windowshade notification like it does on Android tellin the user to complete a sign in.  It's seemless and works well for the sites I've set up.

 

It's quite rare now, but when an older device doesn't automate the sign in by checking for a portal, I tell users to connect to the wifi and then visit http://example.com to trigger the login page (redirect to https://portal.xyz.com) where the https name has a signed cert that matches the DNS name.

 

Good luck!

 

New Member
Posts: 8
Registered: ‎12-26-2018

Re: Captive portal https certificate error

installing certificate to the users mobile device you mean? but we have lots of employees and visitors coming in and they cannot connect to the guest wifi with captive portal as we expect to delivers its purpose? we manually authorize them which is troublesome. Huawe phones seems to have issues in captive portal.
New Member
Posts: 5
Registered: ‎12-06-2018
Solutions: 1

Re: Captive portal https certificate error

same issue here. i see the cert warning as soon as I connect to our guest network (and before the portal sign in page appears).

Member
Posts: 150
Registered: ‎08-15-2016
Kudos: 31
Solutions: 1

Re: Captive portal https certificate error

What typeof device do you see this on?

 

Are you using an external portal and if yes, do you have an SSL cert in place?

WiFi Marketing and Analytics for UniFi - MyPlace Connect

Email Capture, Social Login, Visit Frequency, Micro Targeting, TripAdvisor Integration and more
New Member
Posts: 8
Registered: ‎12-26-2018

Re: Captive portal https certificate error

mostly on mobile devices and few on laptops.

what do you mean by external portal?
Reply