Using LetsEncrypt Certificate for Admin Access Breaks Captive Portal (8090)

See the answer on this thread: community.sophos.com/.../can-you-use-let-s-encrypt-certificate-for-port-8090-error-web-pages-captive-portal

If you visit WebAdmin it uses the Certificate that is selected in WebAdmin > Admin and user settings, giving the client browser just the certificate.

Captive Portal gives the browser that certificate plus the certificate chain (intermediate CA that signed it and the root CA). This can only work if the intermediate CAs are installed, otherwise it cannot return the chain. If Captive Portal is using the Out of Box ApplianceCertificate please make sure that all LE intermediate CAs are installed.

In EAP not all LE Intermediate CAs were included.  If you are in EAP and need this working you can add them manually.  All Intermediate LE certificates are included in GA, so this problem (not using the selected certificate) should not occur again.

Thanks.

After installing the E5 and E6 intermediate certificates, all is now working with Captive Portal when using the LetsEncrypt certificate.

Thanks for the suggestion but we have always has the web admin configured with a Split-horizon DNS as you described in your post.

Can you confirm (for example by using F12 and looking at Remote Address) that the connections to yourxg:8090/httpclient.html are using an IP address belonging to a LAN interface?

If so, can you please contact me in DM, share access id, and I can look at the system with debug logs on.

Thanks for the confirmation, those will be included in GA.

Not sure this is relevant now but the split DNS hostname we use does resolve internally to a LAN interface.