Captive Portal Loading UniFi-Signed Certificate Instead of Domain SSL Certificate

[jeffwray]

@malle-pietje - While I know this isn’t specifically related to the API client itself, I’d still love to hear your insights.

First off, I want to thank you for creating the UniFi API client! I’ve been using it for a while now, and it has been incredibly helpful in my setup. As an OSS contributor, your work is much appreciated.

I’ve also noticed that you’re quite active in the UniFi community, and after reading through several of your posts while researching this issue, I wanted to get your take on a problem I’m facing.

I’m working with a self-hosted UniFi controller (AWS-hosted) and building a captive portal solution for my CDP. However, I’m encountering an intermittent issue where the captive portal seems to load a UniFi-signed certificate instead of the correct SSL certificate for my domain. This leads to users receiving the error:

“The identity of cannot be verified by Wi-Fi. Review the certificate details to continue.”

The issue resolves sometimes by:

• Rebooting the client device.
• Power cycling the AP.
• Modifying and re-saving Pre-Authorization Allowances settings.

I’ve posted a more detailed explanation of the issue and my configuration here on the UniFi community: https://community.ui.com/questions/Captive-Portal-Error-The-identity-of-lesscaptive-portal-Pre-Authorization-Allowancesgreater-cannot-/61e932ba-40fc-47e6-81d6-d9fb9c8691d2

I’d appreciate any advice or insights you might have!

[malle-pietje]

A few thoughts/suggestions here:

• it may depend on how you're installing the certificate; how did you do that?
• are the guest devices accessing the controller using its FQDN for which you installed the SSL cert?
• if you are creating a custom captive portal, what role does the SSL certificate on the UniFi controller play? Why not a full external captive portal?

If you want we can provide consulting services (a retainer) to go though this in one or more private sessions and get you going in the right direction. Building your own captive portal can be quite tricky, we know from experience...

Feel free to send an email to info AT artofwifi DOT net to discuss.

[jeffwray]

Thanks for the suggestions! Just to clarify, the SSL certificate issue I’m referring to is related to the actual captive portal itself, not the UniFi controller. The captive portal is using a domain that is SSL-terminated through CloudFlare, but intermittently the system seems to inject a UniFi-signed certificate, causing an identity verification error for users. This mainly occurs on AP reboots.

The custom captive portal is external, and the controller’s SSL cert shouldn’t come into play here. I’m mainly trying to figure out why the UniFi-signed certificate keeps showing up intermittently instead of the correct SSL certificate for the domain.

I’ve attached screenshots for your edification. Appreciate any further insights you might have on that!

[malle-pietje]

One thing: do not use Cloudflare when working with a captive portal. You have no control where resources are hosted and therefore you will not be able to get the pre-auth access list entries setup correctly.

[malle-pietje]

👍