The other day after I updated my Google Pixel to Android 10 I noticed a weird error message when using our UniFi guest portal at work. After going to the portal, Chrome was complaining about an insecure certificate. We had updated our DigiCert certificate about 3 weeks ago, so this was going to be interesting to troubleshoot…
So, before we go into what caused it all, some background information on what we are running. For a few years now I had implemented an UniFi wifi system at HQ for guest access. A little while back we rolled out the guest portal function at HQ and some branches. The controller is windows based, running on Server 2012 R2. I also have tightened a lot of firewall rules in terms of application blocking and some other security measurement on the edge firewall and Cisco Umbrella recently, so my first thought was to look there.
The first tests revealed it only affected Chrome. iPhones with Safari were fine, computers with Edge or Firefox and IE were fine too. When I tested with my Thinkpad and used Chrome it would throw an error about an invalid certificate (Specifically “windows does not have enough information to verify this certificate”). Clicking on go-ahead anyways would open a new tab with the same error message and so on.
Ok, clearly it must! be the Firewall. I turned on packet capture and went through the drop packet logs, but all good. Weird. Maybe Umbrella is blocking something? Spend some time going through the logs there, nope all good.
Ok, so what is Chrome doing differently than all the other browsers? I looked at the certificate (which again is from Digicert, not self-signed) and saw it could not complete the certification path. It showed no CA, only the cert. Ok, that is why Chrome sees it as invalid, but why can’t it complete the cert path?
I fired up DNSQuerySniffer by NirSoft on my Thinkpad and watched the queries go through. No errors, DNS is all working. Cool.
Ok, I see Windows checking if it’s behind a portal (first entry msftconnecttest.com) and some other calls, but one sticks out now, doesn’t it?
So Chrome goes out to digicert.com to check if DigiCert is really the CA. Nice security feature, but we don’t allow this url in pre-authorization on the UniFi controller. Now the solution is simple. Just add cacerts.digicerts.com to the list of pre-authorization access in UniFi and the certificate is valid!
So, in conclusion, it took longer to figure this one out since I thought the firewall was blocking a needed service, where it was really the Unifi Controller not allowing needed access. I’m not sure with which version of Chrome Google introduced this, but I imagine this will affect quite a few UniFi Portals. You will need to make sure the controller can reach the CA of whoever you have your certificate with.
It seems though if you run UniFi with a security gateway, this might not affect you since it uses a
I hope this is useful to some. When I first looked into this issue I didn’t find much on the net about this specific issue. This was a fun one to investigate!
Thanks for sharing your experience with the community. This is the same solution I might need to allow Chrome give access to my unifi guess portal.
Glad to hear you found it useful.