Every now and then, the question pops up from someone who has implemented a captive portal for his or her guests and the guests get these annoying security warnings:
Please help me ! How do we to get rid of these annoying warnings?
Thanks
Hi ,
Whenever user browses any https websites ,web browser used by end user expects a valid certificate from that particular https website . Here user is browsing www.google.com which is a strict https website . In case of Captive Portal , AP intercepts http get from user and sends a http temporary redirect to user. Now https certicate sent from AP is not the one which client is expecting and hence throws the error as shown in screenshot . The solution is import valid certicate obtained from a CA on to AP .
Dear Support,
How to import valid certicate obtained from a CA on to AP ? Please help me !
As mentioned by sandeshkumarb, you're seeing the error because the AP is intercepting HTTPS connections from the wireless client to a public website like Google or Facebook. You can not get rid of this by adding any certificates to the AP. This is how HTTPS is designed - any attempt by a third party to intercept HTTPS traffic is detected by the browser and flagged with a warning message. This is common to all captive portals and not unique to Cambium.
There are a couple of things you can do to mitigate this
- Enable Redirect: HTTPS only (see the attached screenshots). This is under the WLAN configuration in cnMaestro under Guest Access -> Advanced Settings. On the device it is under WLAN -> Guest Access. This will drop all HTTPS traffic until the user is authenticated. On the user end, until they try to access an HTTP web site and sign in to the guest portal, HTTPS traffic will be dropped
- I see you have 'Captive Portal Bypass' selected. Is this a workaround for some issue (we do have a temporary issue with Captive-Portal Network Assistant on Macbooks which requires this) ? If not, you can uncheck that setting. This will trigger the CNA or Captive Portal popup on most mobile devices when the user connects to the WLAN. This CNA will not display the warning
Device UI:
cnMaestro UI
1 Like
Hi,
I'm getting the certificate warnings, I have Redirect: HTTP-only enabled and no Captive Portal bypass User Agent
any idea?
You are using a On premises version of cnMaestro which comes with a self signed certificate. Please get a trusted certificated for your cnMaestro and install on it and you will no longer see this certificate error. You must be getting the same certificate warning when you try to access the management UI of your cnMaestro. Also ensure you install full chain certificate. The cnMaestro On Premises User Guide has all the details for certificate installation.
I bought a SSL certificate issued by Sectigo Limited, for the validation it required a domain so I used our, but after import I'm still getting the https warning while accessing the administrator web interface (using the ip address). if I add in the hosts file the record <cnMaestr-ip-address> <mydomain> and access using the domain it works, but how about captive portal users?
@lorenzocasotto
Change the guest portal name from IP address to hostname and that should help the WiFi users to get rid of the warning message.
but this way I don't need to add the record <cnMaestr-ip-address> <mydomain>? and the web site on my domain will reply normally?
anyway I tried the captive portal with the record and I'm still getting the warning "the SSL certificate is not trusted"
as the same configuration on another network doesn't give me problem, I eliminated the certificate because I think the problem is because clients are behind a FortiGate, has anyone made it work in this situation? on the FortiGate they told me there isn't SSL inspection
Your FortiGate is not doing Captive Portal so it should not matter here, you are using the cnMaestro based captive portal here. Can you see the details in that warning and see what exactly it's complaining about? Also you can use online ssl checker for that URL which is giving this certificate error:
https://www.sslshopper.com/ssl-checker.html
If your cnMaestro server has a public IP and a registered domain name then you will be able to use this online tool. Once your cnMaestro UI itself doesn't show any certificate warning then your captive portal will also start working.
Also if you are trying the captive portal through standard browser and typing in some domain and then getting redirected over HTTPS then it would raise certificate errors as redirection happens to cnMaestro server and the certificate presented is for cnMaestro and not that domain. This is generic issue in usage of captive portal and that's why all new devices try to detect captive portal over HTTP and browser tab shows a message "Open Network Login page" or may even automatically open a new window which displays the login page. Post redirection the login page can be over HTTPS but the domain name in the URL for that login page should match with the certificate being used for that SSL handshake.
the full warning message is "the security certificate of this network does not come from a trusted authority. connection to this network is not recommended"
what if I don't want to have a public IP and a registered domain name for the cnMaestro?
the FortiGate SSL inspection was enabled and now is disabled, but still warnings, additional informations:
Your PC doesn’t trust this website’s security certificate.
The hostname in the website’s security certificate differs from the website you are trying to visit.
is there a way to avoid warnings without buying a domain and publishing the cnMaestro on the internet?
Hi,
We have the same problem with a Cambium cnPilot e600.
When we try to access the AP through its webinterface we get a warning that the certificate is not valid.
After inspection this seems to be a certificate issued by Cambium itself, see the attached file.
For accessing the AP this posses no direct issue since the AP are on a separate vlan which should be only accessible for IT crew.
But the same issue appears with redirecting the wifi client after succesfull authentication on the ssid.
The firefox browser has problems with the same invalid certificate and gives a time out on the redirection url.
Could this Cambium certificate be replaced with a valid one and if you what is the procedure to do so, through AP itself or through on premises cnmaestro?
Thanks for the advice,
Regards,
Diedrik
- certificateAP.png (88.2 KB)
