OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • [SOLVED] Captive Portal & External SSL Certificate
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] Captive Portal & External SSL Certificate  (Read 8429 times)

jpm01

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
[SOLVED] Captive Portal & External SSL Certificate
« on: April 19, 2016, 01:19:54 pm »
Hi,

I tried to set up a captive portal with an external certificate from StartSSL. Without https the portal runs fine, if I select the web configurator default certificate it also works. If I select the imported StartSSL certificate, the redirection to the portal times out. There are no errors shown in the logs, but it seems that lighttpd doesn't run on the cp port. The certificate and ca where imported from an old pfSense install which worked with the same configuration.
« Last Edit: April 20, 2016, 12:05:48 pm by franco »
Logged

jpm01

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Captive Portal & External SSL Certificate
« Reply #1 on: April 19, 2016, 09:55:13 pm »
I tried again with a new CSR from the OPNsense system and a certificate issued by ssl.com. Still the same, captive portal service is shown as running and no errors in any logfiles, but connection times out on the client and netstat and sockstat on the OPNsense doesn't show any listening ports other than *:80 for lighttpd.

If I select "none" or the webconfigurator certificate, port *:8000 shows up in netstat and the portal works.


Logged

AdSchellevis

  • Administrator
  • Hero Member
  • *****
  • Posts: 849
  • Karma: 163
    • View Profile
Re: Captive Portal & External SSL Certificate
« Reply #2 on: April 19, 2016, 10:50:28 pm »
Hi,

I'm not sure what your issue is, but can you execute some commands and output the results here?

List of running lighttpd processes (there should be 3 of them)
Code: [Select]
ps fax | grep lighttpd
List of created configurations
Code: [Select]
ls -asl /var/etc/lighttpd-*
Try to start the http server for zone 0 in the shell (or 1 if 0 doesn't exist)
Code: [Select]
/usr/local/sbin/lighttpd -D -f /var/etc/lighttpd-cp-zone-0.conf

Best regards,

Ad
Logged

jpm01

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Captive Portal & External SSL Certificate
« Reply #3 on: April 19, 2016, 11:41:08 pm »
Thanks for your answer, with the output from the commands I was able to get it working for now.

Output was:

Code: [Select]
root@OPNsense:~ # ps fax | grep lighttpd
74527  -  S      0:00.72 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
90199  -  S      0:00.24 /usr/local/sbin/lighttpd -f /var/etc/lighttpd-api-dispatcher.conf
68155  0  S+     0:00.00 grep lighttpd
Code: [Select]
root@OPNsense:~ # ls -asl /var/etc/lighttpd-*
4 -rw-r-----  1 root  wheel  2084 Apr 19 21:41 /var/etc/lighttpd-api-dispatcher.conf
8 -rw-r-----  1 root  wheel  7728 Apr 19 21:41 /var/etc/lighttpd-cp-zone-0.conf
Code: [Select]
root@OPNsense:~ # /usr/local/sbin/lighttpd -D -f /var/etc/lighttpd-cp-zone-0.conf
2016-04-19 23:20:06: (network.c.542) SSL: couldn't read X509 certificate from '/var/etc/cert-cp-zone0.pem'

With this information, I checked the file with "openssl x509 -noout -text -inform PEM -in /var/etc/cert-cp-zone0.pem" and got "4389603492760:error:0906D066:PEM routines:PEM_read_bio:bad end line". I edited the .pem file and added a break between the "END CERTIFICATE" and "BEGIN KEY" section, because it was a single line.

I don't know if I made a mistake while pasting the data into the webConfigurator and I will try with another test certificate to add a newline at the end of the certificate data form.

Thanks for your help!
jpm01
Logged

jpm01

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Captive Portal & External SSL Certificate
« Reply #4 on: April 20, 2016, 12:16:54 am »
While reconfiguring the captive portal the .pem file was rewritten by the system, so the problem with the single line happened again. I exported .key and .crt and imported it again with an empty line at the end of the "Certificate Data" form. Now the .pem file works if I reconfigure settings of the captive portal.
Logged

AdSchellevis

  • Administrator
  • Hero Member
  • *****
  • Posts: 849
  • Karma: 163
    • View Profile
Re: Captive Portal & External SSL Certificate
« Reply #5 on: April 20, 2016, 11:50:18 am »
Thanks for reporting back, the cert generation should probably apply the line ends itself to avoid this from happening.
I will make sure a fix will be in soon.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • [SOLVED] Captive Portal & External SSL Certificate
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2