09-06-2023 11:17 AM - edited 09-06-2023 11:19 AM
Hi!
I'm running Unleashed on a couple of R710s version 200.14.6.1.203 (latest)
I have set up a guest network and utilizes the built in Captive Portal hosted on the Master AP.
This works well until I add a custom certificate under Admin&Services -> Administration -> Certificate -> Import Signed Certificate.
I'm importing a CloudFlare Origin Cert (with my internal domain i.e *.myintenaldomain.com). This also works well using the Unleashed UI the cert is present and working as expected.
Now when I test the captive portal, on Linux, connecting to the Guest network, Clicking sign in I get
"If you are not redirected within 3 seconds, please click here." And the link is pointing to: http://cloudflare/.
If I try this on an android device I get:
The web page at http://cloudflare%20origin%20certificate/user/inte&url=http://www.google.com could be loaded because: net::ERR_NAME_NOT_RESOLVED
Reverting back to original Ruckus cert, the captive portal start working as expected again.
Anyone else experienced this? Why is it trying to redirect to http://cloudlfare, makes no sense to me.
Thanks in advance,
09-11-2023 11:41 AM
I guess I have to revert to an ugly workaround adding a dns entry in my pihole to translate cloudflare to the master ap ip.
09-11-2023 06:42 PM - edited 09-11-2023 06:44 PM
I replied a couple of days ago, but my reply was lost for some reason
Cloudflare Origin Certs aren't meant for anything other than securing traffic between your servers and cloudflare, so they optimized away anything which was unnecessary for this purpose. Definitely I would use a proper cert from a public CA instead. If I was guessing, then probably the cert has your wildcard in the subject alternative name, so it's not being looked for.
I use Letsencrypt certs without issue - the cert upload process prompts you for the FQDN you want if it's a wildcard cert.
Either way, there will be a redirect to the FQDN, so make sure you set up your internal DNS so this FQDN points at your master AP's IP.
Then either set a calendar reminder to renew the cert every 90 days, or automate (e.g. https://ms264556.net/pages/PfSenseLetsEncryptToRuckus).
09-12-2023 02:13 AM
Thanks for the reply. Yes you are right the Origin certs are not intended to be used that way.
The benefit is that they are valid for 30 years and I'm using the cert on my many different devices. I have used a letsencrypt setup for years, but it such a hassle to renew all my devices and in it is difficult to see when renewal fails, or for instance when you reinstall some client and forget to backup the public sshkey. I tend to use bash-scripts and scp the letsencrypt cert to various places (authorizing with authorized_keys), in some cases I have written Expect-scripts that works better with cli-like-setups.
I'll probably just ignore unleashed cert and use the default cert for now, and continue using my 30 year origin-cert.
09-12-2023 04:21 AM
You should be able to use the script I linked above to set the correct fqdn for your master AP, even with your cloudflare cert.