I'm running Unleashed on a couple of R710s version 18.104.22.168.203 (latest)
I have set up a guest network and utilizes the built in Captive Portal hosted on the Master AP.
This works well until I add a custom certificate under Admin&Services -> Administration -> Certificate -> Import Signed Certificate.
I'm importing a CloudFlare Origin Cert (with my internal domain i.e *.myintenaldomain.com). This also works well using the Unleashed UI the cert is present and working as expected.
Now when I test the captive portal, on Linux, connecting to the Guest network, Clicking sign in I get
"If you are not redirected within 3 seconds, please click here." And the link is pointing to: http://cloudflare/.
If I try this on an android device I get:
The web page at http://cloudflare%20origin%20certificate/user/inte&url=http://www.google.com could be loaded because: net::ERR_NAME_NOT_RESOLVED
Reverting back to original Ruckus cert, the captive portal start working as expected again.
Anyone else experienced this? Why is it trying to redirect to http://cloudlfare, makes no sense to me.
Thanks in advance,
Solved! Go to Solution.
I replied a couple of days ago, but my reply was lost for some reason
Cloudflare Origin Certs aren't meant for anything other than securing traffic between your servers and cloudflare, so they optimized away anything which was unnecessary for this purpose. Definitely I would use a proper cert from a public CA instead. If I was guessing, then probably the cert has your wildcard in the subject alternative name, so it's not being looked for.
I use Letsencrypt certs without issue - the cert upload process prompts you for the FQDN you want if it's a wildcard cert.
Either way, there will be a redirect to the FQDN, so make sure you set up your internal DNS so this FQDN points at your master AP's IP.
Then either set a calendar reminder to renew the cert every 90 days, or automate (e.g. https://ms264556.net/pages/PfSenseLetsEncryptToRuckus).
Thanks for the reply. Yes you are right the Origin certs are not intended to be used that way.
The benefit is that they are valid for 30 years and I'm using the cert on my many different devices. I have used a letsencrypt setup for years, but it such a hassle to renew all my devices and in it is difficult to see when renewal fails, or for instance when you reinstall some client and forget to backup the public sshkey. I tend to use bash-scripts and scp the letsencrypt cert to various places (authorizing with authorized_keys), in some cases I have written Expect-scripts that works better with cli-like-setups.
I'll probably just ignore unleashed cert and use the default cert for now, and continue using my 30 year origin-cert.