Failed Challenge on ZoneMinder [Apache]

Hi, I followed the certbot instructions for Apache and received a failed challenge error. ZoneMinder by default runs the webpage on biggszm.duckdns.org/zm. The standard domain name defaults to the Apache2 default welcome page. I'm sure it probably has to do with some nasty default ZoneMinder Apache configuration.

My domain is:
biggszm.duckdns.org

I ran this command:
sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): biggszm.duckdns.org
Requesting a certificate for biggszm.duckdns.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
** Domain: biggszm.duckdns.org**
** Type: connection**
** Detail: Fetching http://biggszm.duckdns.org/.well-known/acme-challenge/FswRJgCh59um5Q0sD-k87O3mqHbzn62f9X0zi0EeX4M: Timeout during connect (likely firewall problem)**

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.17.0

1 Like

Ho @biggs, and welcome to the LE community forum :slight_smile:

Please confirm the current Internet IP is:

Name:    biggszm.duckdns.org
Address: 174.66.232.64

If so, then confirm HTTP access through the firewall/NAT device and to your internal system IP.

1 Like

That is the correct IP. Are you not able to access the webpage? It works for me internally and externally. Since I am able to access it, I would assume my Firewall/NAT is working properly

1 Like

No, I can't get a connection to port 80.

curl -Iki biggszm.duckdns.org
curl: (56) Recv failure: Connection reset by peer
2 Likes

You are right. My ISP is blocking that port. I originally had the webserver on 8080 so it would not be blocked, but I read that certbot requires port 80 and 443. Is there a way I can use certbot with a different port number?

1 Like

It appears that I can use a DNS challenge in this instance. I will try that.

1 Like

TLS-ALPN-01 challenges are via port 443 - but that spec isn't widely supported.
DNS-01 challenges are via DNS - but they are not simple to automate (requiring support from both the ACME client and your DSP).

1 Like

I was able to generate and install the certificates using a DNS challenge, but my webpage is not using HTTPS. Any pointers?

1 Like

Start with the output of:
apachectl -S

1 Like

apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

1 Like

You should have a working web site before trying to secure it.
As shown, there is no functional web site.
Please create a vhost config file for your site (and enable it).
Then show again:
apachectl -S

1 Like

apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 www.biggszm.duckdns.org (/etc/apache2/sites-enabled/zm.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

1 Like

zm.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName www.biggszm.duckdns.org

        ServerAdmin webmaster@localhost
        DocumentRoot /usr/share/zoneminder/www

        # Remember to enable cgi mod (i.e. "a2enmod cgi").
        ScriptAlias /zm/cgi-bin "/usr/lib/zoneminder/cgi-bin"
        <Directory "/usr/lib/zoneminder/cgi-bin">
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            AllowOverride All
            Require all granted
        </Directory>


        # Order matters. This alias must come first.
        Alias /zm/cache /var/cache/zoneminder/cache
        <Directory /var/cache/zoneminder/cache>
            Options -Indexes +FollowSymLinks
            AllowOverride None
            <IfModule mod_authz_core.c>
                # Apache 2.4
                Require all granted
            </IfModule>
        </Directory>

        Alias /zm /usr/share/zoneminder/www
        <Directory /usr/share/zoneminder/www>
            Options -Indexes +FollowSymLinks
            <IfModule mod_dir.c>
                DirectoryIndex index.php
            </IfModule>
        </Directory>

        # For better visibility, the following directives have been migrated from the
        # default .htaccess files included with the CakePHP project.
        # Parameters not set here are inherited from the parent directive above.
        <Directory "/usr/share/zoneminder/www/api">
            RewriteEngine on
            RewriteRule ^$ app/webroot/ [L]
            RewriteRule (.*) app/webroot/$1 [L]
            RewriteBase /zm/api
        </Directory>

        <Directory "/usr/share/zoneminder/www/api/app">
            RewriteEngine on
            RewriteRule ^$ webroot/ [L]
            RewriteRule (.*) webroot/$1 [L]
            RewriteBase /zm/api
        </Directory>

        <Directory "/usr/share/zoneminder/www/api/app/webroot">
            RewriteEngine On
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^ index.php [L]
            RewriteBase /zm/api
        </Directory>


        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
1 Like

add this line right below that one:
ServerAlias biggszm.duckdns.org

1 Like

Added. Do I need to regenerate a certificate now? Nothing has changed

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

I'm going to step in for @rg305 for now.

  1. Reload Apache:

sudo apachectl -k graceful

  1. Generate another certificate covering both biggszm.duckdns.org and www.biggszm.duckdns.org.

  2. Install your certificate.

sudo certbot install --apache -d "biggszm.duckdns.org,www.biggszm.duckdns.org"

1 Like

Done. However, the plugin that I am using has the following note:

Note: You cannot create certificates for multiple DuckDNS domains with one certbot call.
This is because DuckDNS only allows one TXT record.
If certificates for several domains should be created at the same time, then the same number of distinct DNS TXT records must be created.
To solve the problem, you simply have to make a separate certbot call for each domain.

Therefore, I issued two certificates. One for biggszm.duckdns.org and www.biggszm.duckdns.org. My webpage still does not have HTTPS and is viewable on biggszm.duckdns.org:8080/zm. Do I need to make my vhost config have port 8080 instead of 80?

Here is some additional debug info: Let's Debug

1 Like

You almost had the right solution. You should have first requested a certificate covering one of the domain names (which you already had), which caches the authorization for that domain name. Then you should have requested a certificate covering both domain names. Since the authorization for one would have already been cached, only the other would have needed to be authorized. At present you have authorizations cached for both domain names, meaning that when you request a certificate covering both domain names, neither domain name will need to be authorized (so no TXT records to create). Go ahead and do so.

First, make your vhost configuration use port 80.

Second, run this:

1 Like

Ok, I deleted the previous 2 certificates with certbot delete. Then I installed a certificate for biggszm.duckdns.org using DNS challenge. Then I ran your certbot command for both domains.

sudo certbot install --apache -d "biggszm.duckdns.org,www.biggszm.duckdns.org"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate would you like to install?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: biggszm.duckdns.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Deploying certificate
Successfully deployed certificate for biggszm.duckdns.org to /etc/apache2/sites-available/zm-le-ssl.conf
Successfully deployed certificate for www.biggszm.duckdns.org to /etc/apache2/sites-available/zm-le-ssl.conf
Added an HTTP->HTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency.    

Still no HTTPS, did I do something wrong?

1 Like

@biggs, I suspect you missed this step:

Please show the outpur of:
apachectl -S

and file:
zm.conf

1 Like