pfSense

With "Enable HTTPS login" checked and a proper (trusted, via LE/ACME) cert in place, captive portal clients do not detect the portal or redirect to the portal login page.

As soon as "Enable HTTPS login" is unchecked the clients are able to detect the portal, login, and work as they should.

With HTTPS login enabled:

rdr on em1 inet proto tcp from any to ! <cpzoneid_2_cpips> port 443  tagged cpzoneid_2_rdr -> 10.7.0.1 port 8003
pass in quick on em1 proto tcp from any to <cpzoneid_2_cpips> port 8003 ridentifier 13001 keep state(sloppy)
pass out quick on em1 proto tcp from 10.7.0.1 port 8003 to any flags any ridentifier 13002 keep state(sloppy)

With HTTPS login disabled:

rdr on em1 inet proto tcp from any to ! <cpzoneid_2_cpips> port 80  tagged cpzoneid_2_rdr -> 10.7.0.1 port 8002
pass in quick on em1 proto tcp from any to <cpzoneid_2_cpips> port 8002 ridentifier 13001 keep state(sloppy)
pass out quick on em1 proto tcp from 10.7.0.1 port 8002 to any flags any ridentifier 13002 keep state(sloppy)

On past versions with ipfw when HTTPS logins were enabled there were fwd rules in place for both 80 and 443 and not just 443:

02117        0         0 fwd 127.0.0.1,8003 tcp from any to any 443 in
02118        0         0 fwd 127.0.0.1,8002 tcp from any to any 80 in

If I manually edit rules.debug and add in the rules for 80 -> 8002 (both rdr and the pass rules) then the clients can detect the portal and login properly.