Thread Info
  • State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 693 views
  • Users 0 members are here
Options
Suggested

Can you use Let's Encrypt certificate for port 8090 error web pages (Captive Portal?)

Wayne Folta

I've been using a self-certificate with it's name being the IP address of Port 1 (my LAN). And in Admin and User Settings, I specify this certificate and set it to Use the IP Address of the First Internal Interface, which works. (Though I think because I've also put my the device's self-CA certificate on all of my own internal machines and trusted it, to support TLS decryption and inspection.)

So I figured it'd make it easier for guests if I used the Let's Encrypt certificate. In Admin and User Settings, this would seem to require choosing Use the Firewall's Configured Host Name. And that seemed to check -- but not work -- once, but trying it again it Check Settings says that the hostname does not resolve to an internal interface's IP address.

This should be fairly straightforward, shouldn't it? Shouldn't a URL whose hostname's IP is my EXTERNAL IP (Port 2) somehow be able to work internally with the Let's Encrypt certificate? I've created a loopback NAT to Port 1, which does fire off, but evidently I need to do more. I tried creating an ACL exception rule (since Firewall rules don't work with local services), and that's not worked either.

It LOOKED like it worked at first because I could get to the HTTPS console via the hostname, but it wasn't actually working correctly. (I do not have internal DNS, My firewall hostname is my domain name.)

Parents
  • 0

    The Captive Portal service on port 8090 (and the NTLM/Kerberos service on port 8091) will only accept connections addressed to IP addresses of internal zone interfaces.

    The best solution for this is to use Split-horizon DNS.

    This means using an internal DNS Server, and configuring that to respond to all internal queries for you Firewall's name, with an internal/LAN IP address for your firewall.

    If you are using your Firewall as a local DNS resolver for clients on the network, you can do this with the 'DNS host entry' feature on the Network > DNS page.

    The alternative is to configure your redirection URL to use an IP address under Administration > Admin and user settings. This will initially cause certificate errors, although most browsers will remember the decision to ignore the warning when the destination URL is a local IP address. It's not a great option, unfortunately.

Reply
  • 0

    The Captive Portal service on port 8090 (and the NTLM/Kerberos service on port 8091) will only accept connections addressed to IP addresses of internal zone interfaces.

    The best solution for this is to use Split-horizon DNS.

    This means using an internal DNS Server, and configuring that to respond to all internal queries for you Firewall's name, with an internal/LAN IP address for your firewall.

    If you are using your Firewall as a local DNS resolver for clients on the network, you can do this with the 'DNS host entry' feature on the Network > DNS page.

    The alternative is to configure your redirection URL to use an IP address under Administration > Admin and user settings. This will initially cause certificate errors, although most browsers will remember the decision to ignore the warning when the destination URL is a local IP address. It's not a great option, unfortunately.

Children
No Data
Unfiltered HTML