Hi, I followed the certbot instructions for Apache and received a failed challenge error. ZoneMinder by default runs the webpage on biggszm.duckdns.org/zm. The standard domain name defaults to the Apache2 default welcome page. I'm sure it probably has to do with some nasty default ZoneMinder Apache configuration.
It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): biggszm.duckdns.org Requesting a certificate for biggszm.duckdns.org
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 20.04
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.17.0
That is the correct IP. Are you not able to access the webpage? It works for me internally and externally. Since I am able to access it, I would assume my Firewall/NAT is working properly
You are right. My ISP is blocking that port. I originally had the webserver on 8080 so it would not be blocked, but I read that certbot requires port 80 and 443. Is there a way I can use certbot with a different port number?
TLS-ALPN-01 challenges are via port 443 - but that spec isn't widely supported.
DNS-01 challenges are via DNS - but they are not simple to automate (requiring support from both the ACME client and your DSP).
You should have a working web site before trying to secure it.
As shown, there is no functional web site.
Please create a vhost config file for your site (and enable it).
Then show again: apachectl -S
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.biggszm.duckdns.org
ServerAdmin webmaster@localhost
DocumentRoot /usr/share/zoneminder/www
# Remember to enable cgi mod (i.e. "a2enmod cgi").
ScriptAlias /zm/cgi-bin "/usr/lib/zoneminder/cgi-bin"
<Directory "/usr/lib/zoneminder/cgi-bin">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
# Order matters. This alias must come first.
Alias /zm/cache /var/cache/zoneminder/cache
<Directory /var/cache/zoneminder/cache>
Options -Indexes +FollowSymLinks
AllowOverride None
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
</Directory>
Alias /zm /usr/share/zoneminder/www
<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
</Directory>
# For better visibility, the following directives have been migrated from the
# default .htaccess files included with the CakePHP project.
# Parameters not set here are inherited from the parent directive above.
<Directory "/usr/share/zoneminder/www/api">
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
RewriteBase /zm/api
</Directory>
<Directory "/usr/share/zoneminder/www/api/app">
RewriteEngine on
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
RewriteBase /zm/api
</Directory>
<Directory "/usr/share/zoneminder/www/api/app/webroot">
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
RewriteBase /zm/api
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Done. However, the plugin that I am using has the following note:
Note: You cannot create certificates for multiple DuckDNS domains with one certbot call.
This is because DuckDNS only allows one TXT record.
If certificates for several domains should be created at the same time, then the same number of distinct DNS TXT records must be created.
To solve the problem, you simply have to make a separate certbot call for each domain.
Therefore, I issued two certificates. One for biggszm.duckdns.org and www.biggszm.duckdns.org. My webpage still does not have HTTPS and is viewable on biggszm.duckdns.org:8080/zm. Do I need to make my vhost config have port 8080 instead of 80?
You almost had the right solution. You should have first requested a certificate covering one of the domain names (which you already had), which caches the authorization for that domain name. Then you should have requested a certificate covering both domain names. Since the authorization for one would have already been cached, only the other would have needed to be authorized. At present you have authorizations cached for both domain names, meaning that when you request a certificate covering both domain names, neither domain name will need to be authorized (so no TXT records to create). Go ahead and do so.
Ok, I deleted the previous 2 certificates with certbot delete. Then I installed a certificate for biggszm.duckdns.org using DNS challenge. Then I ran your certbot command for both domains.
sudo certbot install --apache -d "biggszm.duckdns.org,www.biggszm.duckdns.org"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which certificate would you like to install?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: biggszm.duckdns.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Deploying certificate
Successfully deployed certificate for biggszm.duckdns.org to /etc/apache2/sites-available/zm-le-ssl.conf
Successfully deployed certificate for www.biggszm.duckdns.org to /etc/apache2/sites-available/zm-le-ssl.conf
Added an HTTP->HTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency.