https://community.ruckuswireless.com/t5/Wireless-Questions-and-Best/Captive-portal-SSL-and-Intermediate-CA-problem/m-p/32966#M1623 Unfortunately it's a bit of an egg-on face / RTFM moment.<BR /><BR />we went back through the ssl configuration and re-installed the certificates in the correct order and it all works.<BR /><BR />in short the 'correct' order is "Root CA Cert, Intermediate Cert then device Cert."<BR /><BR />Hope this helps someone else tearing their hair out. Fri, 07 Aug 2015 07:15:15 GMT martin_christop 2015-08-07T07:15:15Z https://community.ruckuswireless.com/t5/Wireless-Questions-and-Best/Captive-portal-SSL-and-Intermediate-CA-problem/m-p/32965#M1622 Hi.<BR /><BR />We have recently had a ruckus wireless network installed. Everything from the AP's to the pair of ZD3050's configured as a smart-redundant pair is working well, except for the captive portal.<BR /><BR />We have 2 SSID's set up to authenticate separate captive portals from separate auth servers. It is functional to some degree however we are having problems with certificates.<BR /><BR />We purchased a cert (wifi.domain.ac.uk) from Janet which comes in 2 parts, intermediate CA and the device CA itself. &nbsp; They both load onto the ZD fine, but when we try to access the login page from a mobile device or laptop then we get a certificate error, even though when we access the URL from a machine inside the network, everything is green.<BR /><BR />There are 2 possibilities as far as i can see. &nbsp;using the command below we only get the intermediate cert back, not the full chain<BR />&gt;&gt; openssl s_client -check wifi.tower.ac.uk:443&nbsp;<BR />Which returns this:<BR /><BR />---<BR />CONNECTED(00000003)depth=0 C = GB, ST = London, L = LONDON, O = Tower Hamlets College, CN = wifi.tower.ac.uk<BR /><B>verify error:num=20:unable to get local issuer certificate</B><BR />verify return:1<BR />.<BR />.<BR />.<BR />---<BR />Certificate chain<BR />&nbsp;0 s:/C=GB/ST=London/L=LONDON/O=Tower Hamlets College/CN=wifi.tower.ac.uk<BR />&nbsp; &nbsp;i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G2<BR />---<BR /><BR />This seems to be wrong as the Webserver should respond with the entire chain not just a single cert:<BR /><A href="http://stackoverflow.com/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experian-url" rel="nofollow" target="_blank" title="Link http//stackoverflowcom/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experian-url">http://stackoverflow.com/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experi...</A><BR /><BR />Another ideas is there is something OCSP related to the captive portal we need to explicitly allow - but i'm new to that part of x509....<BR /><BR />Can any big forum brains point us towards an easy fix for this silliness?<BR /><BR />PS. we are running the latest firmware on the <B>ZD's: &nbsp;&nbsp;9.12.0.0 build 336</B><BR /><BR />Thanks<BR />Martin Tue, 04 Aug 2015 14:07:39 GMT https://community.ruckuswireless.com/t5/Wireless-Questions-and-Best/Captive-portal-SSL-and-Intermediate-CA-problem/m-p/32965#M1622 martin_christop 2015-08-04T14:07:39Z https://community.ruckuswireless.com/t5/Wireless-Questions-and-Best/Captive-portal-SSL-and-Intermediate-CA-problem/m-p/32966#M1623 Unfortunately it's a bit of an egg-on face / RTFM moment.<BR /><BR />we went back through the ssl configuration and re-installed the certificates in the correct order and it all works.<BR /><BR />in short the 'correct' order is "Root CA Cert, Intermediate Cert then device Cert."<BR /><BR />Hope this helps someone else tearing their hair out. Fri, 07 Aug 2015 07:15:15 GMT https://community.ruckuswireless.com/t5/Wireless-Questions-and-Best/Captive-portal-SSL-and-Intermediate-CA-problem/m-p/32966#M1623 martin_christop 2015-08-07T07:15:15Z