Captive portal, SSL and Intermediate CA problem

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)
Hi.

We have recently had a ruckus wireless network installed. Everything from the AP's to the pair of ZD3050's configured as a smart-redundant pair is working well, except for the captive portal.

We have 2 SSID's set up to authenticate separate captive portals from separate auth servers. It is functional to some degree however we are having problems with certificates.

We purchased a cert (wifi.domain.ac.uk) from Janet which comes in 2 parts, intermediate CA and the device CA itself.   They both load onto the ZD fine, but when we try to access the login page from a mobile device or laptop then we get a certificate error, even though when we access the URL from a machine inside the network, everything is green.

There are 2 possibilities as far as i can see.  using the command below we only get the intermediate cert back, not the full chain
>> openssl s_client -check wifi.tower.ac.uk:443 
Which returns this:

---
CONNECTED(00000003)depth=0 C = GB, ST = London, L = LONDON, O = Tower Hamlets College, CN = wifi.tower.ac.uk
verify error:num=20:unable to get local issuer certificate
verify return:1
.
.
.
---
Certificate chain
 0 s:/C=GB/ST=London/L=LONDON/O=Tower Hamlets College/CN=wifi.tower.ac.uk
   i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G2
---

This seems to be wrong as the Webserver should respond with the entire chain not just a single cert:
http://stackoverflow.com/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experi...

Another ideas is there is something OCSP related to the captive portal we need to explicitly allow - but i'm new to that part of x509....

Can any big forum brains point us towards an easy fix for this silliness?

PS. we are running the latest firmware on the ZD's:   9.12.0.0 build 336

Thanks
Martin
Photo of Martin Christopher

Martin Christopher

  • 2 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Martin Christopher

Martin Christopher

  • 2 Posts
  • 0 Reply Likes
Unfortunately it's a bit of an egg-on face / RTFM moment.

we went back through the ssl configuration and re-installed the certificates in the correct order and it all works.

in short the 'correct' order is "Root CA Cert, Intermediate Cert then device Cert."

Hope this helps someone else tearing their hair out.