OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: micha on January 28, 2020, 12:20:32 pm

Title: Captive Portal no longer works after the update to version 19.7.10
Post by: micha on January 28, 2020, 12:20:32 pm

Hi there,

after the update to version 19.7.10 I can't connect with Firefox to the Captive Portal login page. Error message: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

After disabling ocsp_must_staple in Firefox via about:config (security.ssl.enable_ocsp_must_staple setting=false) it works again.

Is this a bug or am I doing something wrong?

Cheers,

Micha

Title: Re: Captive Portal no longer works after the update to version 19.7.10
Post by: franco on January 28, 2020, 01:35:41 pm

Hi micha,

You may be running into:

https://github.com/opnsense/core/issues/3891

Which was fixed on 19.7.10... to diagnose go to your captive portal settings and check "enforce local group" ... it is probably set to something but you want to set it to none.


Cheers,
Franco

Title: Re: Captive Portal no longer works after the update to version 19.7.10
Post by: micha on January 28, 2020, 02:55:52 pm

Hello Franco,

thank you for your answer.

But my problem is a different one: I can register. With the Chrome Browser it works without problems. With Firefox everything works if I have turned off OCSP_must_staple. The problem is that with Firefox OCSP_must_staple is enabled by default. The normal Firefox user gets only an error message instead of the login page.

The configuration of the weberver responsible for the logon page of the Captive Portal seems to have OCSP_must_staple enabled. I am trying to figure out how to disable OCSP_must_staple on lighttpd. It is also strange that OCSP_must_staple is disabled on the WebGUI.

Cheers,

Micha

Title: Re: Captive Portal no longer works after the update to version 19.7.10
Post by: franco on January 28, 2020, 05:03:50 pm

Sorry, I misread being prompted by "19.7.10" specifically.

Lighttpd does not do OCSP stapling as it seems:

https://redmine.lighttpd.net/issues/2469

It means it never worked before and that would indicate your SSL certificate changed. Are you using Let's Encrypt?

You need a new certificate that does not mandate OCSP stapling and it can be turned off for Let's Encrypt easily.


Cheers,
Franco

Title: Re: Captive Portal no longer works after the update to version 19.7.10
Post by: micha on February 04, 2020, 11:30:30 am

I was affected by the problem that the acme client always had OCSP stapling enabled (#794 (https://github.com/opnsense/plugins/issues/794))

To fix the problem I corrected the configuration file manually. Then it worked for me again. Now the certificate has expired and was automatically renewed with OCSP stapling enabled again.

Now I have installed a certificate that does not come from Let's Encrypt manually. Now it works again.

But in the future I would like to use certificates from Let's Encrypt again. I would like to validate them using the DNS API method. Unfortunately I still have problems connecting the OPNsense acme-client to my PowerDNS...

Cheers,

Micha