Intermediate Chain Certificate for Guest Portal
NDULZ opened this issue · comments
Hey great work on the script.
I'm however having an issue where some devices, mostly Samsungs and Apple devices do not trust the certificate on the guest portal.
SSL Checker indicates this warning "The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider." when I check the guest portal url.
Any help with this would be highly apricated.
Looking at it. Now maybe the right time to get once more a look at the multiple stores the UDM has (for Console, Guest / WiFiMan, and RADIUS).
@NDULZ, previously it was an issue to run WiFiMan with full chain, but I need to doublecheck that (and that's long ago so my memory my fail me here).
I'm however having an issue where some devices, mostly Samsungs and Apple devices do not trust the certificate on the guest portal.
Hi @NDULZ, can you please provide some information:
What UniFi device do you use?
What firmware version do you run? V1.x, V2.x or V3.x
Which specific Apple devices produce this error?
I have tried with Windows, (newer) Apple iOS and macOS devices and get no errors.
Having just the server certificate (no chain, i.e. no intermediate or root certificate) in the guest portal is intended behavior - right now, at least.
@alxwolf Yup in your notes you indicate that the chain cert is not installed for WiFiMan to work. I think having an option in ubios-cert.env would be prudent and allow the user to decide what they would like to use.
I am using a UDM and UDM Pro have the same issue on both.
Both are running firmware v1.12.33
The issue arises on Samsung Galaxy A71, S9 and Note 9 among other android devices, Macbook Air 2020 and 2015, iPhone 13, X and 8.
I hope this helps.
mmh. it's not that simple... I've been testing now for a sound 3 hours and... it does not work with a full chain. So no chance for giving the option...
@NDULZ I created a branch for this, please try this and let me know if this works for your environment.
For me, it does... but: it breaks WiFi-Man.
I added this to ubios-vert.envto spare you from repeating all configuration.
# you want to spare users from "intermediate certificate missing" errors?
# this will break WiFiman iOS app
# uncomment next line, set to 'yes' to provide the full chain to Captive Portal
CAPTIVE_FULLCHAIN='yes'
I think we can agree that it's just plain stupid by UI to let their users run through hoops.
The chain is all good now but now I seem to be encountering an error on macOS when redirecting to my promotional URL. For some wired reason it's using the UDM's self signed SSL cert when redirecting.
So I guess your guest portal config looks something like this:
Yeah, UI is a mess about certs...
You probably get the "UI" certificate, issued by "devint" (they probably skipped an "a" in that).
I searched far and wide on the UDM and have not found, where this thing resides and when it gets regenerated (something seems to trigger this, but seems like not a reboot of the hardware or just restarting the unifi-os).
One thing you can try (don't know how comfortable you are SSH-ing into UDM).
You are throwing an additional curved ball by using the redirection (which I think is totally fine for such equipment...).
you could check in /mnt/data/system/ssl/private/redirector what certificate you have there. Please also check the file creation date and time, does that ring a bell (like last reboot or date of installation??)
openssl x509 -text -noout -in server.crt will tell you.
What happens if you make a backup of this key and cert and replace it with your Let's Encrypt cert?
Yup it's exactly like that.
SSH-ed into the UDM you were right on the location and it seems to have been created when I first powered up the UDM on the day I purchase it.
Any thoughts on which cert and key I should use amongst the ones in .../unifi-core/config?
I don't get how UI do so many things right, great in fact but the vitals are just all over the place.
Checked the UDM Pro as and that seems to have been created on Dec 10 2022 which I think is when I did a factory reset.
Thanks, mine dates to when I did last firmware upgrade (yesterday to .37), which makes sense.
you could try
cp /mnt/data/unifi-os/unifi-core/config/unifi-core.crt /mnt/data/system/ssl/private/redirector/server.crt
cp /mnt/data/unifi-os/unifi-core/config/unifi-core.key /mnt/data/system/ssl/private/redirector/server.key
unifi-os restart
if certs get shot, one can delete both server.* files and they get recreated during (hardware) reboot.
But I'm not sure this will help. UI is totally not helpful on those topics and everything is "for science"...
Found one more thing: maybe this can provide a solution?
We typically disable HTTPS redirection and add the IP address the public FQDN points to to the pre-auth access list with the /32 suffix. Works like a charm, even on UDM PROs.
Found one more thing: maybe this can provide a solution?
We typically disable HTTPS redirection and add the IP address the public FQDN points to to the pre-auth access list with the /32 suffix. Works like a charm, even on UDM PROs.
This seems to have worked. Coping the certs was a bust.