Lately I’ve developing a customized captive portal for a BYOD business. At start I used an internal certificate authority and installed it on every server on the network just to show that green padlock . It wasn’t really a big deal if other users of the network will see the certificate error because they’d really never think about it. They are there for the internet connection and would do anything to stay connected regardless of the those errors they see.
When I started to invite my friends to connect they find it troublesome to keep seeing that certificate error, I came to a realisation that even normal users are annoyed by it, so much more when it is released into public .
Luckily PFSense has an ACME package where you can install a LetsEncrypt certificate and has a built in cron to renew try and renew the certificate on your specified days. Installing the certificate was a trouble when I started because I attempted to do a verification using DNS-manual where it’s a pain in the A** especially with a very slow DNS like namecheap’s BASIC DNS. Anyway, I moved the DNS to Digital Ocean and tried to add in the acme challenge but PFSense couldn’t pick it up. As an alternative I used cloudflare and pointed the subdomains to their DNS Servers as shown in the image.
And inside PFSense I created a new acme certificate using my cloudflare API and email address.
And I clicked the renew/issue button. In a few seconds you PFSense will create the txt acme challenge on your cloudflare DNS record as seen in the image below
Here is how it looks in PFSense once the certificate is created.
After creating the certificate, I created a host override to tell the network that it is being hosted at this IP. Config is in Services > DNS Resolver > General Settings. Below I added an override rule.
After configuring DNS, I configured the https certifcate to use the newly created certificated issued by LetsEncrypt. Configured in System > Advanced > Admin Access
Don’t forget to disable the DNS Rebinding Check because this will throw an error hiding the Login form when you access the portal using the domain/subdomain.
After setting up the certificate, I configured Captive Portal to point to the new domain/subdomain with the valid certificate generated by LetsEncrypt.
And now I am getting a valid certificate when users try to connect to the network.
If you are interested on how I customised the pfsense captive portal template I will be publishing it in my GitHub Repo after finishing everything. The set-up is API based with a self hosted SMS gateway.