SSl Certificat For Mikrotik

medharrak · November 22, 2018, 3:03pm

Hi ,
I need to know if anybody has already bought an SSL Certificat for Mikrotik to work with hotspot and does it known for all browser and devices?
I tried let’s encrypt but it’s doesn’t work as expected ,

medharrak · November 23, 2018, 12:31pm

not yet , I need to know first if anyone has already did it ,if it is works and known buy all the browsers.
I tried open ssl certificat “let’s encrypt” , they give you 90 days then you need to regenerate a new one.but it’s doesn’t work as expected , still get the warning message " ssl certificat is not valid" a specially with ios devices.

R1CH · November 23, 2018, 2:11pm

For the hotspot login page itself, this is possible. For redirecting clients to the hotspot, this is not possible.

eworm · November 23, 2018, 4:52pm

The “Let’s encrypt” certificates should work just fine. Possibly you have it import the CA chain (root and intermediate certificate) into your Mikrotik device to make things work.

medharrak · November 28, 2018, 2:02pm

Hi,
Thank you all for your response.
@R1CH : what do you mean by redirecting clients to the hostspot is not possible? . when I connect to the hotspot the browser automatically redirect me to the authentication page or I need to open an http website (example :www.msn.com) and then I automatically be redirected to the authentication page . however what I noticed is that when I type a secure site like https://facebook.com no redirection to the hotspot is done, this is the issue that I need to resolve because not every clients is redirected automatically to the authentication page , and I need what ever page he open (http or https) he need to be redirected to the authentication page .

normis · November 28, 2018, 2:09pm

The device should detect that a hotspot login page is present, and open the hotspot login page in a popup.
Make sure you have no walled-garden entries, if this doesn’t happen, or that you have not added some strange DNS names in your router DNS config.

medharrak · November 28, 2018, 2:20pm

Hi normis ,
Thank you for your replay .
I have no strange DNS configured and no walled garden.
and still don’t get authentication page when I open https website and it’s works fine when I use just http.
I’m using open ssl certifcat (let’s encrypt) , can it be the issue?
do you have any idea if I buy comodo ssl ; it will work or not?

normis · November 28, 2018, 2:21pm

You don’t have to get it when you open any webpage. The device (laptop or phone) must open the system popup automatically, even if your device has no browser open.
SSL will not get redirected, this is to be expected.

medharrak · November 28, 2018, 2:32pm

yes that right but during the test we find that sometimes device will not popup the page.and we need to try to navigate normally and then by trying to open any website(http) the hotspot page popup automatically , the issue is when the client chose to open for the first time an https website , he got an error instead of hotspot page

normis · November 28, 2018, 2:36pm

Yes. This is how SSL works, there is no way around it.

normal device opens popup itself, and they can log in
if no automatic popup, user must open non-ssl webpage, like http://neverssl.com but this is client device problem, not hotspot

medharrak · November 28, 2018, 2:41pm

even if we buy and install an ssl certificat on mikrotik and enable https will not work , we still need to open a no https website ?

R1CH · November 28, 2018, 4:05pm

If your device / browser won’t detect the portal automatically, then yes, you need to open a non-HTTPS site to get the portal redirect. Most modern browsers and devices do this automatically in the background though when you connect to a new network. There is NO WAY to redirect a HTTPS site!

medharrak · November 29, 2018, 11:19am

Hi Rich ,
I’m using firfox on Linux desktop machine , I tried many sites on https like https://duckduckgo.com , https://www.wikipedia.org , … I get another page open “Login to Network” so even I on https I get authentication page .but this is not working for all https sites for example https://www.facebook.com or https://www.google.com, … does not work I get “Secure Connection Failed” .
So why and what is the difference as I see that it’s the opposite of your answer “NO WAY to redirect https”?
NB: your answer “No way to redirect https” is right for apple devices. I tried to open the same https page that worked for me on linux but I get nothing on iphone.

R1CH · November 29, 2018, 10:01pm

Nothing is being redirected, it’s entirely up to the browser or OS. The browser sees a HTTPS loading error, tries to load a HTTP URL and notices if there was a redirect. If so, it assumes there is a portal and offers the sign in option. Since the “HTTPS error” is technically an attack, some bigger sites like Facebook use Strict Transport Security, which instructs browsers to never allow bypassing of a HTTPS error, which may include portal redirection.