[SOLVED] Captive Portal & External SSL Certificate

[jpm01]

Hi,

I tried to set up a captive portal with an external certificate from StartSSL. Without https the portal runs fine, if I select the web configurator default certificate it also works. If I select the imported StartSSL certificate, the redirection to the portal times out. There are no errors shown in the logs, but it seems that lighttpd doesn't run on the cp port. The certificate and ca where imported from an old pfSense install which worked with the same configuration.

[jpm01]

I tried again with a new CSR from the OPNsense system and a certificate issued by ssl.com. Still the same, captive portal service is shown as running and no errors in any logfiles, but connection times out on the client and netstat and sockstat on the OPNsense doesn't show any listening ports other than *:80 for lighttpd.

If I select "none" or the webconfigurator certificate, port *:8000 shows up in netstat and the portal works.

[AdSchellevis]

Hi,

I'm not sure what your issue is, but can you execute some commands and output the results here?

List of running lighttpd processes (there should be 3 of them)

Code: [Select]

ps fax | grep lighttpd
List of created configurations

Code: [Select]

ls -asl /var/etc/lighttpd-*
Try to start the http server for zone 0 in the shell (or 1 if 0 doesn't exist)

Code: [Select]

/usr/local/sbin/lighttpd -D -f /var/etc/lighttpd-cp-zone-0.conf

Best regards,

Ad

[jpm01]

Thanks for your answer, with the output from the commands I was able to get it working for now.

Output was:

Code: [Select]

root@OPNsense:~ # ps fax | grep lighttpd
74527  -  S      0:00.72 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
90199  -  S      0:00.24 /usr/local/sbin/lighttpd -f /var/etc/lighttpd-api-dispatcher.conf
68155  0  S+     0:00.00 grep lighttpd


Code: [Select]

root@OPNsense:~ # ls -asl /var/etc/lighttpd-*
4 -rw-r-----  1 root  wheel  2084 Apr 19 21:41 /var/etc/lighttpd-api-dispatcher.conf
8 -rw-r-----  1 root  wheel  7728 Apr 19 21:41 /var/etc/lighttpd-cp-zone-0.conf


Code: [Select]

root@OPNsense:~ # /usr/local/sbin/lighttpd -D -f /var/etc/lighttpd-cp-zone-0.conf
2016-04-19 23:20:06: (network.c.542) SSL: couldn't read X509 certificate from '/var/etc/cert-cp-zone0.pem'

With this information, I checked the file with "openssl x509 -noout -text -inform PEM -in /var/etc/cert-cp-zone0.pem" and got "4389603492760:error:0906D066:PEM routines:PEM_read_bio:bad end line". I edited the .pem file and added a break between the "END CERTIFICATE" and "BEGIN KEY" section, because it was a single line.

I don't know if I made a mistake while pasting the data into the webConfigurator and I will try with another test certificate to add a newline at the end of the certificate data form.

Thanks for your help!
jpm01

[jpm01]

While reconfiguring the captive portal the .pem file was rewritten by the system, so the problem with the single line happened again. I exported .key and .crt and imported it again with an empty line at the end of the "Certificate Data" form. Now the .pem file works if I reconfigure settings of the captive portal.

[AdSchellevis]

Thanks for reporting back, the cert generation should probably apply the line ends itself to avoid this from happening.
I will make sure a fix will be in soon.