Hi all,
I have activate hotspot for wifi user on my RB951. Problem is when users type google.com, they are redirected to https://google.com and an SSL error appears. “Unable to make a secure connection to the server.”
This only happens when users try to access a https site. Normal http sites redirect correctly to the hotspot login page.
Does anyone have a possible solution to this?
If the hotspot is not re-directing that traffic correctly then there may be something wrong with the dynamic rules that get created. Look in the firewall, under NAT, and see if there are rules for port 80 and port 443. They should be dynamically created. Make sure that there are not any static NAT rules above the dynamically created ones. Which router OS version are you using?
Hotspot does not redirect SSL 443 sites , unless you enable HTTPS redirection and run the hotspot on 443 on the Mikrotik.
You will then substitute the lack of redirects for an HTTPS certification error.
That is sad to hear. No known workaround yet without using https on hotspot? I think is better not to have certificate error as it would confuse the customers.
hi friends,
i install hotspot on rb2011, my problem is no redirect https page,
can any help me to redirect https ?? the ssl alert never mine
YOU STILL NEED ONE SSL CERTIFICATE (TRUSTED OR YOURSELF MADE, BUT VALID) TO MAKE HTTPS WORK!!!
Create one fake for you own (change the fileds accordingly):
/certificate add name=self-signed-certificate common-name=common-name country=it days-valid=365 key-size=2048 locality=locality organization=organization state=state trusted=yes unit=organization-unit subject-alt-name=DNS:my.local.net,IP:192.168.0.101,email:my@email.it key-usage=digital-signature,key-cert-sign,crl-sign;
/certificate sign template=self-signed-certificate ca-crl-host=192.168.0.101 name=common-name ca-on-smart-card=no;
and enable ip / service / www-ssl and set the service to use certificate “common-name”
and enable, on hotspot profile, login by https, selecting as certificate “common-name”
You can not remove browser warning.
If you buy one ssl certificate, buy it for 1.2.3.4, not for hs.pippo.com or when redirect warning appear.
But if IP are correct, all work without warning, because the certificate are for IP, not for DNS name…
I don’t actually mind the error when its a https site… it seems that using the above method does work but still brings up SSL error on every page… is there anyway of getting MT to use https when a https site is requested and using http every other time?
Best,
Patrick.
Hi,
I have same issue, may i know where to buy the Cert to avoid the warning page?
Thanks & regards
You can buy certs through most of the hosting sites like Go Daddy, Site Ground, Network Solutions, ect.
I have V6.10 and the second command show an error: expected end of command (line 1 column 52), the firts command is ok.
Update to 6.18
on 6.7 ca-crl-host and ca-on-smart-card are unsupported, try to remove it:
/certificate sign template=self-signed-certificate name=common-name
rextended
We are now working with 100% secure hotspot with a valid SSL,
but when users try to access initial page with ssl like https://www.google.com
still warning.
in other post you say anything about 2 redirects to solve this kinf of problem.
can you explain how you do this?
Ps: Sorry about English.
As write on my post before:
You can not remove browser warning.
If you > buy one ssl certificate> , buy it > for 1.2.3.4> , > not for hs.pippo.com > or when redirect warning appear.
But > if IP are correct, all work without warning> , because the certificate are for IP, not for DNS name…
Hello,
to bypass the ssl warning on the redirecting https sites to hotspot login page (because they are not in the walled garden), I assume we can solve with a certificate?
Do we need multiple certificates for multiple hotspot ip addresses? For example one hotspot is on 10.1.10.x/24, next is on 10.1.11.x/24 etc.
Thanks in advance,
Vedran
yes, one for each IP
my solution to this long time problem as high percentage of browsers home pages are set to google.com
add this expression to your walled garden in the host field
:^www.google.com$ with port 443
now when they are directed to https://google.com the google page will load instead of an error, Better in my opinion than an error. 99 times out of a 100 the user will click on a http link and get the login page.
I wasnt clear enough, we have multiple hotspot locations, each hotspot in each city; however, all of them are going trough vpn to one public ip address, the central data center.
I was wondering if one certificate for that one public ip address is going to be enough to cover all of the hotspots that go trough it?
Thanks in advance,
Vedran S.
Thank you karina, after 4 hours of trying to get rid of the warning your sollution is the best suited for my config. I only use the hotspot to tell users to connect via PPPOE and show them a small tutorial on how to create a PPPOE connection, so buying a certificate yearly for 55 euros was the LAST option. And the warning translated from my native language in chrome says that someone is trying to steal their passwords and hijack their web pages witch for a small ISP is very bad publicity.
You can not buy a certificate to a local IP. All certification’s companies require a public IP or public DNS.
Only be possible by creating a certificate from Linux, but then the browser displays a warning that the certificate is not trusted.
Is there any solution?
While what you say is true, there is another way: You can go to www.startssl.com and get yourself a FREE level1 SSL certificate for your domain (whoich must exist) and use that DNS name for your mtik HS portal like this:
I hope this solves most of your issues so you can now help me:
When the person tries to go to http://www.domain.com it redirects to https portal and the ssl cert Works and everything is very cool
But when the person tries to go to https://www.google.com then the mikrotik does not redirect anywhere - the connection is just Dead!
I have checked firewall rules and they seem OK to me, but obviously something is wrong because many people complain for this problem. Does anyone Know what is the problem?