[SOLVED] Captive Portal & External SSL Certificate

Started by jpm01, April 19, 2016, 01:19:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 19, 2016, 01:19:54 PM Last Edit: April 20, 2016, 12:05:48 PM by franco
Hi,

I tried to set up a captive portal with an external certificate from StartSSL. Without https the portal runs fine, if I select the web configurator default certificate it also works. If I select the imported StartSSL certificate, the redirection to the portal times out. There are no errors shown in the logs, but it seems that lighttpd doesn't run on the cp port. The certificate and ca where imported from an old pfSense install which worked with the same configuration.
April 19, 2016, 09:55:13 PM #1
I tried again with a new CSR from the OPNsense system and a certificate issued by ssl.com. Still the same, captive portal service is shown as running and no errors in any logfiles, but connection times out on the client and netstat and sockstat on the OPNsense doesn't show any listening ports other than *:80 for lighttpd.

If I select "none" or the webconfigurator certificate, port *:8000 shows up in netstat and the portal works.


April 19, 2016, 10:50:28 PM #2
Hi,

I'm not sure what your issue is, but can you execute some commands and output the results here?

List of running lighttpd processes (there should be 3 of them)
Code Select
ps fax | grep lighttpd

List of created configurations
Code Select
ls -asl /var/etc/lighttpd-*

Try to start the http server for zone 0 in the shell (or 1 if 0 doesn't exist)
Code Select
/usr/local/sbin/lighttpd -D -f /var/etc/lighttpd-cp-zone-0.conf


Best regards,

Ad
April 19, 2016, 11:41:08 PM #3
Thanks for your answer, with the output from the commands I was able to get it working for now.

Output was:

Code Select

root@OPNsense:~ # ps fax | grep lighttpd
74527  -  S      0:00.72 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
90199  -  S      0:00.24 /usr/local/sbin/lighttpd -f /var/etc/lighttpd-api-dispatcher.conf
68155  0  S+     0:00.00 grep lighttpd

Code Select

root@OPNsense:~ # ls -asl /var/etc/lighttpd-*
4 -rw-r-----  1 root  wheel  2084 Apr 19 21:41 /var/etc/lighttpd-api-dispatcher.conf
8 -rw-r-----  1 root  wheel  7728 Apr 19 21:41 /var/etc/lighttpd-cp-zone-0.conf

Code Select

root@OPNsense:~ # /usr/local/sbin/lighttpd -D -f /var/etc/lighttpd-cp-zone-0.conf
2016-04-19 23:20:06: (network.c.542) SSL: couldn't read X509 certificate from '/var/etc/cert-cp-zone0.pem'


With this information, I checked the file with "openssl x509 -noout -text -inform PEM -in /var/etc/cert-cp-zone0.pem" and got "4389603492760:error:0906D066:PEM routines:PEM_read_bio:bad end line". I edited the .pem file and added a break between the "END CERTIFICATE" and "BEGIN KEY" section, because it was a single line.

I don't know if I made a mistake while pasting the data into the webConfigurator and I will try with another test certificate to add a newline at the end of the certificate data form.

Thanks for your help!
jpm01
April 20, 2016, 12:16:54 AM #4
While reconfiguring the captive portal the .pem file was rewritten by the system, so the problem with the single line happened again. I exported .key and .crt and imported it again with an empty line at the end of the "Certificate Data" form. Now the .pem file works if I reconfigure settings of the captive portal.
April 20, 2016, 11:50:18 AM #5
Thanks for reporting back, the cert generation should probably apply the line ends itself to avoid this from happening.
I will make sure a fix will be in soon.
Print
Go Up Pages1
User actions