Closed heruan closed 5 years ago
You will need to use those options :
UAMPORT=3990
UAMUIPORT=3991
UAMUISSL
UAMALIASNAME=nas
UAMALIASIP=1.0.0.1
DOMAIN=mydomain.test
SSLCERTFILE=/path/to/my/certificate.crt
SSLKEYFILE=/path/to/my/certificate.key
Your certificate have to be valid.
Then you can call : https://nas.mydomain.test/json/status for exemple.
Thank you @irongomme for the quick response! You write UAMUIPORT
twice with different values, is this a typo?
This is my config, which still doesn't work:
HS_WANIF=ens192
HS_LANIF=ens224
HS_NETWORK=10.238.31.0
HS_NETMASK=255.255.255.0
HS_UAMLISTEN=10.238.31.1
HS_UAMPORT=3991
HS_UAMUIPORT=4991
HS_UAMUISSL=on
HS_UAMALIASIP=10.238.31.1
HS_UAMALIASNAME=captive
HS_DNS_DOMAIN=axians.it
HS_SSLKEYFILE=/etc/ssl/key.pem
HS_SSLCERTFILE=/etc/ssl/crt.pem
HS_SSLCAFILE=/etc/ssl/ca.pem
HS_DNS1=10.238.31.1
HS_DNS2=10.238.31.1
HS_UAMFORMAT=https://login.axians.it
HS_UAMHOMEPAGE=https://login.axians.it
# ... RADIUS config etc.
(Certificates are valid for *.axians.it
)
With this config I get correctly redirected to the login page at https://login.axians.it
(external web server), but the JSON API is still on plain HTTP:
$ curl -i https://captive.axians.it/json/status
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
$ curl -i http://captive.axians.it:3991/json/status
HTTP/1.0 200 OK
Connection: close
Pragma: no-cache
Expires: Fri, 01 Jan 1971 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 289
Content-Type: text/javascript
{"version":"1.0","clientState":0, ... }
What am I doing wrong?
Yes it was error for the ports, i've fixed it !
Does the login page is hosted on router or externally on a server?
For my use :
Thank you Jérôme, I was finally able to make it work! I was confused since there is no setting for the SSL port. Is port 443 hardcoded in CoovaChilli source? Plus, during runtime I can't see port 443 listening (using ss -lnt
) nor I see iptables rules so it's still pretty much a mystery how this is handled!
@irongomme Can you please advise if the SSL is Self-signed and I am using IP address only? Ex: https://192.168.0.5:3990/json/status
is not working in this case.
@12e1121 The browser must trust the certificate, so if you use a self-signed one you need to add it manually to the browser trusted certificates.
@heruan Added but still no luck. Not sure which part having error. Could you please advise?
HS_WANIF=eth0
HS_LANIF=wlan0
HS_NETWORK=192.168.0.0
HS_NETMASK=255.255.255.0
HS_UAMLISTEN=192.168.0.1
HS_REDSSL=on
HS_SSLKEYFILE=/path/to/key/key.key # self-signed
HS_SSLCERTFILE=/path/to/cert/cert.cert
HS_UAMPORT=3990
HS_UAMUIPORT=4990
HS_COAPORT=3799
HS_TCP_PORTS="80 443"
# OpenDNS Servers
HS_DNS1=208.67.222.222
HS_DNS2=208.67.220.220
HS_UAMSERVER=$HS_UAMLISTEN
HS_UAMFORMAT=https://192.168.0.5:443
HS_UAMHOMEPAGE=$HS_UAMFORMAT
Try adding HS_UAMALIASNAME=192.168.0.5
.
@heruan Unfortunately it is still not working. I try to debug on my Captive Portal and it seems that ChilliController.ssl is returning false. That is weird. Do you got any idea ?
Check these are as below:
HS_UAMUISSL=on
HS_REDIRSSL=on
@nzamps I double confirmed those parameters were set in my config file but still no luck. Here is my full list.
HS_WANIF=eth0
HS_LANIF=wlan0
HS_NETWORK=192.168.0.0
HS_NETMASK=255.255.255.0
HS_UAMLISTEN=192.168.0.1
HS_UAMALIASNAME=192.168.0.1
HS_REDIRSSL=on
HS_UAMUISSL=on
HS_SSLKEYFILE=/path/to/key/key.key # self-signed
HS_SSLCERTFILE=/path/to/cert/cert.cert # self-signed
HS_UAMPORT=3990
HS_UAMUIPORT=4990
HS_COAPORT=3799
HS_TCP_PORTS="80 443"
# OpenDNS Servers
HS_DNS1=208.67.222.222
HS_DNS2=208.67.220.220
HS_UAMSERVER=$HS_UAMLISTEN
HS_UAMFORMAT=https://192.168.0.1:443
HS_UAMHOMEPAGE=$HS_UAMFORMAT
And i restarted all services
sudo /etc/init.d/nginx restart
sudo /etc/init.d/chilli restart
I think i facing exactly same problem with #457
hi @12e1121 I configure like that but it isn't work. I can show status http://10.1.0.1:3990/json/status but https not allow Here is my configure . It is tp link archer C7
/etc/chilli/default HS_WANIF=eth0.2 HS_LANIF=br-lan HS_NETWORK=10.1.0.0 HS_NETMASK=255.255.255.0 HS_UAMLISTEN=10.1.0.1 HS_UAMALIASNAME=10.1.0.1 HS_REDIRSSL=on HS_UAMUISSL=on HS_SSLKEYFILE=/etc/ssl/mycert.key # self-signed HS_SSLCERTFILE=/etc/ssl/mycert.cert # self-signed HS_UAMPORT=3990 HS_UAMUIPORT=4990 HS_COAPORT=3799 HS_TCP_PORTS="80 443" HS_DNS1=208.67.222.222 HS_DNS2=208.67.220.220
HS_NASID=nas01 HS_UAMALIASNAME=chilli HS_UAMSERVER=$HS_UAMLISTEN HS_UAMFORMAT=https://10.1.0.1:443 HS_UAMHOMEPAGE=$HS_UAMFORMAT HS_MODE=hotspot HS_TYPE=coovachilli HS_WWWDIR=/etc/chilli/www HS_WWWBIN=/etc/chilli/wwwsh HS_PROVIDER=Coova HS_PROVIDER_LINK=http://coova.github.io/ HS_LOC_NAME="My HotSpot" # WISPr Location Name and used in portal
configure uhttp config uhttpd main list listen_http 0.0.0.0:80 list listen_http [::]:80 list listen_https 0.0.0.0:443 list listen_https [::]:443 option redirect_https 1 option home /www option rfc1918_filter 1 option max_requests 3 option max_connections 100 option cert /etc/ssl/mycert.crt option key /etc/ssl/mycert.key option cgi_prefix /cgi-bin option lua_prefix /luci option lua_handler /usr/lib/lua/luci/sgi/uhttpd.lua option script_timeout 60 option network_timeout 30 option http_keepalive 20 option tcp_keepalive 1
config cert defaults option days 730 option bits 2048 option country ZZ option state Somewhere option location Unknown option commonname 'OpenWrt'
I create https certificate follow this link https://openwrt.org/docs/guide-user/luci/getting-rid-of-luci-https-certificate-warnings
Could you take a look for me please.Thanks so much
I really recommand to use a real certificate with a specific dedicated domain for json api over tls, and not a self signed certificate ! This is easy to obtain one with letsencrypt.
@irongomme @nzamps @heruan Thanks for your help. I managed to run the JSON API over https using the same configuration. (Need to accept an ugly self-signed browser certificates though) I found out my problem is certs location is not correct.
@htnghia90 Try debug using sudo chilli -fd -c /etc/chilli.conf
.
Hi @12e1121 Do you have another way to check that. Because AP doesn't listen https, so any reply form AP to client ( my laptop ) when my laptop sent request to https chilli -fd -c /etc/chilli.conf don't show anything because don't listen https:10.1.0.1:3990 When laptop open https://10.1.0.1:3990 . It notice time out. How do you create certificate. Could you give me link for create new certificate. I think I have problem with that Thanks you
How can I enable SSL for the JSON API (i.e. port 3990)?
HS_UAMUISSL=on
seems to do the trick for the UI, not the JSON API.Thank you!