/etc/apache2/sites-enabled$ cat zm.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.biggszm.duckdns.org
ServerAlias biggszm.duckdns.org
ServerAdmin webmaster@localhost
DocumentRoot /usr/share/zoneminder/www
# Remember to enable cgi mod (i.e. "a2enmod cgi").
ScriptAlias /zm/cgi-bin "/usr/lib/zoneminder/cgi-bin"
<Directory "/usr/lib/zoneminder/cgi-bin">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
# Order matters. This alias must come first.
Alias /zm/cache /var/cache/zoneminder/cache
<Directory /var/cache/zoneminder/cache>
Options -Indexes +FollowSymLinks
AllowOverride None
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
</Directory>
Alias /zm /usr/share/zoneminder/www
<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
</Directory>
# For better visibility, the following directives have been migrated from the
# default .htaccess files included with the CakePHP project.
# Parameters not set here are inherited from the parent directive above.
<Directory "/usr/share/zoneminder/www/api">
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
RewriteBase /zm/api
</Directory>
<Directory "/usr/share/zoneminder/www/api/app">
RewriteEngine on
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
RewriteBase /zm/api
</Directory>
<Directory "/usr/share/zoneminder/www/api/app/webroot">
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
RewriteBase /zm/api
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteCond %{SERVER_NAME} =biggszm.duckdns.org [OR]
RewriteCond %{SERVER_NAME} =www.biggszm.duckdns.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
apachectl -S
AH00526: Syntax error on line 88 of /etc/apache2/sites-enabled/zm-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/biggszm.duckdns.org/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.
/etc/apache2/sites-enabled$ cat zm-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.biggszm.duckdns.org
ServerAlias biggszm.duckdns.org
ServerAdmin webmaster@localhost
DocumentRoot /usr/share/zoneminder/www
# Remember to enable cgi mod (i.e. "a2enmod cgi").
ScriptAlias /zm/cgi-bin "/usr/lib/zoneminder/cgi-bin"
<Directory "/usr/lib/zoneminder/cgi-bin">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
# Order matters. This alias must come first.
Alias /zm/cache /var/cache/zoneminder/cache
<Directory /var/cache/zoneminder/cache>
Options -Indexes +FollowSymLinks
AllowOverride None
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
</Directory>
Alias /zm /usr/share/zoneminder/www
<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
</Directory>
# For better visibility, the following directives have been migrated from the
# default .htaccess files included with the CakePHP project.
# Parameters not set here are inherited from the parent directive above.
<Directory "/usr/share/zoneminder/www/api">
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
RewriteBase /zm/api
</Directory>
<Directory "/usr/share/zoneminder/www/api/app">
RewriteEngine on
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
RewriteBase /zm/api
</Directory>
<Directory "/usr/share/zoneminder/www/api/app/webroot">
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
RewriteBase /zm/api
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/biggszm.duckdns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/biggszm.duckdns.org/privkey.pem
</VirtualHost>
</IfModule>
I did not try 8080 - that is up.
But since you still need to get a cert with both names on it, you will need to enable 80.
[and you will need 80 open to renew the certs (every 60 days)]
Public port 80 is blocked by my ISP. That is why earlier in the conversation I was told to use a DNS-01 challenge instead of a HTTP-01. Unless you mean I need to unblock private port 80, but I don't think that is what you mean.
OK I must have missed/forgot that
Nonetheless, you have to overcome this problem:
curl -I https://www.biggszm.duckdns.org
curl: (51) SSL: no alternative certificate subject name matches target host name 'www.biggszm.duckdns.org'
There are four possible connections:
http://biggszm.duckdns.org/ [ISP blocks 80 - but works via 8080]
http://www.biggszm.duckdns.org/ [ISP blocks 80 - but works via 8080]
https://biggszm.duckdns.org/ [WORKS]
https://www.biggszm.duckdns.org/ [FAILS - No matching name in cert]
Better than nothing (I suppose).
But ideally you would have both names on the cert and have the renewals fully automated.
Not sure if you are willing to put in the extra work to get any of that done.
EDIT: Two individual certs could also work - but you would have to split the file zm-le-ssl.conf in two.
Not sure how I should accomplish that. Since I am using a DNS-01 challenge, I must use a plugin for my DNS provider on certbot. I am using certbot-dns-duckdns plugin which can be found here: certbot-dns-duckdns · PyPI. I would have to issue 2 certs per the documentation. I guess I could also issue a wildcard cert too though right?
Ok I think it works now? I generated and installed a cert for www.biggszm.duckdns.org. Your conf file didn't work because of the trailing line comments on the second vhost so I removed them and Apache restarted. This is what I have now:
cat zm-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName biggszm.duckdns.org
ServerAdmin webmaster@localhost
DocumentRoot /usr/share/zoneminder/www
# Remember to enable cgi mod (i.e. "a2enmod cgi").
ScriptAlias /zm/cgi-bin "/usr/lib/zoneminder/cgi-bin"
<Directory "/usr/lib/zoneminder/cgi-bin">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
# Order matters. This alias must come first.
Alias /zm/cache /var/cache/zoneminder/cache
<Directory /var/cache/zoneminder/cache>
Options -Indexes +FollowSymLinks
AllowOverride None
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
</Directory>
Alias /zm /usr/share/zoneminder/www
<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
</Directory>
# For better visibility, the following directives have been migrated from the
# default .htaccess files included with the CakePHP project.
# Parameters not set here are inherited from the parent directive above.
<Directory "/usr/share/zoneminder/www/api">
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
RewriteBase /zm/api
</Directory>
<Directory "/usr/share/zoneminder/www/api/app">
RewriteEngine on
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
RewriteBase /zm/api
</Directory>
<Directory "/usr/share/zoneminder/www/api/app/webroot">
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
RewriteBase /zm/api
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/biggszm.duckdns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/biggszm.duckdns.org/privkey.pem
</VirtualHost>
<VirtualHost *:443>
ServerName www.biggszm.duckdns.org
ServerAdmin webmaster@localhost
DocumentRoot /usr/share/zoneminder/www
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine On
RewriteRule ^/?(.*) https://biggszm.duckdns.org/$1
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.biggszm.duckdns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.biggszm.duckdns.org/privkey.pem
</VirtualHost>
</IfModule>
sudo apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server biggszm.duckdns.org (/etc/apache2/sites-enabled/zm-le-ssl.conf:2)
port 443 namevhost biggszm.duckdns.org (/etc/apache2/sites-enabled/zm-le-ssl.conf:2)
port 443 namevhost www.biggszm.duckdns.org (/etc/apache2/sites-enabled/zm-le-ssl.conf:91)
*:80 www.biggszm.duckdns.org (/etc/apache2/sites-enabled/zm.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
Should I do that even though I have two certs now with the split conf file now? Or should I go back to the conf file with an alias and a single cert before I issue that command?
Since you're using certbot-dns-duckdns · PyPI, it might be easier to have the two certificates at this point since both can be easily automated. You need to use the duckdns authenticator plugin and the apache installer.
Something like this:
sudo certbot --preferred-challenges dns -a dns-duckdns --dns-duckdns-token <your-duckdns-token> --dns-duckdns-propagation-seconds 60 -d "biggszm.duckdns.org" -i apache
sudo certbot --preferred-challenges dns -a dns-duckdns --dns-duckdns-token <your-duckdns-token> --dns-duckdns-propagation-seconds 60 -d "www.biggszm.duckdns.org" -i apache
