JSON API over TLS

[heruan]

How can I enable SSL for the JSON API (i.e. port 3990)? HS_UAMUISSL=on seems to do the trick for the UI, not the JSON API.

Thank you!

[irongomme]

You will need to use those options :

UAMPORT=3990
UAMUIPORT=3991
UAMUISSL
UAMALIASNAME=nas
UAMALIASIP=1.0.0.1
DOMAIN=mydomain.test
SSLCERTFILE=/path/to/my/certificate.crt
SSLKEYFILE=/path/to/my/certificate.key

Your certificate have to be valid.

Then you can call : https://nas.mydomain.test/json/status for exemple.

[heruan]

Thank you @irongomme for the quick response! You write UAMUIPORT twice with different values, is this a typo?

This is my config, which still doesn't work:

HS_WANIF=ens192
HS_LANIF=ens224
HS_NETWORK=10.238.31.0
HS_NETMASK=255.255.255.0
HS_UAMLISTEN=10.238.31.1
HS_UAMPORT=3991
HS_UAMUIPORT=4991
HS_UAMUISSL=on
HS_UAMALIASIP=10.238.31.1
HS_UAMALIASNAME=captive
HS_DNS_DOMAIN=axians.it
HS_SSLKEYFILE=/etc/ssl/key.pem
HS_SSLCERTFILE=/etc/ssl/crt.pem
HS_SSLCAFILE=/etc/ssl/ca.pem
HS_DNS1=10.238.31.1
HS_DNS2=10.238.31.1
HS_UAMFORMAT=https://login.axians.it
HS_UAMHOMEPAGE=https://login.axians.it
# ... RADIUS config etc.

(Certificates are valid for *.axians.it)

With this config I get correctly redirected to the login page at https://login.axians.it (external web server), but the JSON API is still on plain HTTP:

$ curl -i https://captive.axians.it/json/status
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

$ curl -i http://captive.axians.it:3991/json/status
HTTP/1.0 200 OK
Connection: close
Pragma: no-cache
Expires: Fri, 01 Jan 1971 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 289
Content-Type: text/javascript

{"version":"1.0","clientState":0, ... }

What am I doing wrong?

[irongomme]

Yes it was error for the ports, i've fixed it !

Does the login page is hosted on router or externally on a server?

For my use :

• I'm using a non existing domain for chilli (ie: mybox.local)
• Your uamaliasip is the same than your dns .... and your uamlisten ... strange ! the uamaliasip is used only by coova to resolve internal domains like above (nas.mybox.local). You can try with 1.0.0.1

[heruan]

Thank you Jérôme, I was finally able to make it work! I was confused since there is no setting for the SSL port. Is port 443 hardcoded in CoovaChilli source? Plus, during runtime I can't see port 443 listening (using ss -lnt) nor I see iptables rules so it's still pretty much a mystery how this is handled!

[kaellau]

@irongomme Can you please advise if the SSL is Self-signed and I am using IP address only? Ex: https://192.168.0.5:3990/json/status is not working in this case.

[heruan]

@12e1121 The browser must trust the certificate, so if you use a self-signed one you need to add it manually to the browser trusted certificates.

[kaellau]

@heruan Added but still no luck. Not sure which part having error. Could you please advise?

HS_WANIF=eth0
HS_LANIF=wlan0
HS_NETWORK=192.168.0.0
HS_NETMASK=255.255.255.0
HS_UAMLISTEN=192.168.0.1
HS_REDSSL=on
HS_SSLKEYFILE=/path/to/key/key.key # self-signed
HS_SSLCERTFILE=/path/to/cert/cert.cert
HS_UAMPORT=3990
HS_UAMUIPORT=4990
HS_COAPORT=3799
HS_TCP_PORTS="80 443"
# OpenDNS Servers
HS_DNS1=208.67.222.222
HS_DNS2=208.67.220.220
HS_UAMSERVER=$HS_UAMLISTEN
HS_UAMFORMAT=https://192.168.0.5:443
HS_UAMHOMEPAGE=$HS_UAMFORMAT

[heruan]

Try adding HS_UAMALIASNAME=192.168.0.5.

[kaellau]

@heruan Unfortunately it is still not working. I try to debug on my Captive Portal and it seems that ChilliController.ssl is returning false. That is weird. Do you got any idea ?

[nzamps]

Check these are as below:

HS_UAMUISSL=on
HS_REDIRSSL=on

[kaellau]

@nzamps I double confirmed those parameters were set in my config file but still no luck. Here is my full list.

HS_WANIF=eth0
HS_LANIF=wlan0
HS_NETWORK=192.168.0.0
HS_NETMASK=255.255.255.0
HS_UAMLISTEN=192.168.0.1
HS_UAMALIASNAME=192.168.0.1
HS_REDIRSSL=on
HS_UAMUISSL=on
HS_SSLKEYFILE=/path/to/key/key.key # self-signed
HS_SSLCERTFILE=/path/to/cert/cert.cert # self-signed 
HS_UAMPORT=3990
HS_UAMUIPORT=4990
HS_COAPORT=3799
HS_TCP_PORTS="80 443"
# OpenDNS Servers
HS_DNS1=208.67.222.222
HS_DNS2=208.67.220.220
HS_UAMSERVER=$HS_UAMLISTEN
HS_UAMFORMAT=https://192.168.0.1:443
HS_UAMHOMEPAGE=$HS_UAMFORMAT

And i restarted all services

sudo /etc/init.d/nginx restart
sudo /etc/init.d/chilli restart

[kaellau]

I think i facing exactly same problem with #457

[htnghia90]

hi @12e1121 I configure like that but it isn't work. I can show status http://10.1.0.1:3990/json/status but https not allow Here is my configure . It is tp link archer C7

/etc/chilli/default HS_WANIF=eth0.2 HS_LANIF=br-lan HS_NETWORK=10.1.0.0 HS_NETMASK=255.255.255.0 HS_UAMLISTEN=10.1.0.1 HS_UAMALIASNAME=10.1.0.1 HS_REDIRSSL=on HS_UAMUISSL=on HS_SSLKEYFILE=/etc/ssl/mycert.key # self-signed HS_SSLCERTFILE=/etc/ssl/mycert.cert # self-signed HS_UAMPORT=3990 HS_UAMUIPORT=4990 HS_COAPORT=3799 HS_TCP_PORTS="80 443" HS_DNS1=208.67.222.222 HS_DNS2=208.67.220.220

HS_NASID=nas01 HS_UAMALIASNAME=chilli HS_UAMSERVER=$HS_UAMLISTEN HS_UAMFORMAT=https://10.1.0.1:443 HS_UAMHOMEPAGE=$HS_UAMFORMAT HS_MODE=hotspot HS_TYPE=coovachilli HS_WWWDIR=/etc/chilli/www HS_WWWBIN=/etc/chilli/wwwsh HS_PROVIDER=Coova HS_PROVIDER_LINK=http://coova.github.io/ HS_LOC_NAME="My HotSpot" # WISPr Location Name and used in portal

configure uhttp config uhttpd main list listen_http 0.0.0.0:80 list listen_http [::]:80 list listen_https 0.0.0.0:443 list listen_https [::]:443 option redirect_https 1 option home /www option rfc1918_filter 1 option max_requests 3 option max_connections 100 option cert /etc/ssl/mycert.crt option key /etc/ssl/mycert.key option cgi_prefix /cgi-bin option lua_prefix /luci option lua_handler /usr/lib/lua/luci/sgi/uhttpd.lua option script_timeout 60 option network_timeout 30 option http_keepalive 20 option tcp_keepalive 1

config cert defaults option days 730 option bits 2048 option country ZZ option state Somewhere option location Unknown option commonname 'OpenWrt'

I create https certificate follow this link https://openwrt.org/docs/guide-user/luci/getting-rid-of-luci-https-certificate-warnings

Could you take a look for me please.Thanks so much

[irongomme]

I really recommand to use a real certificate with a specific dedicated domain for json api over tls, and not a self signed certificate ! This is easy to obtain one with letsencrypt.

[kaellau]

@irongomme @nzamps @heruan Thanks for your help. I managed to run the JSON API over https using the same configuration. (Need to accept an ugly self-signed browser certificates though) I found out my problem is certs location is not correct.

@htnghia90 Try debug using sudo chilli -fd -c /etc/chilli.conf.

[htnghia90]

Hi @12e1121 Do you have another way to check that. Because AP doesn't listen https, so any reply form AP to client ( my laptop ) when my laptop sent request to https chilli -fd -c /etc/chilli.conf don't show anything because don't listen https:10.1.0.1:3990 When laptop open https://10.1.0.1:3990 . It notice time out. How do you create certificate. Could you give me link for create new certificate. I think I have problem with that Thanks you

[kaellau]

@htnghia90 You may try this to setup entire new Hotspot system.