First cert install - unauthorized

Can anyone help with first time install of a cert?
My domain is:
I ran this command:
sudo certbot --apache

It produced this output:

The operating system my web server runs on is (include version):
ubuntu 18.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

My .conf looks like this

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

    ServerAdmin webmaster@localhost

    ProxyPass /zm
    ProxyPassReverse /zm

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

vim: syntax=apache ts=4 sw=4 sts=4 sr noet


As you are proxying the viewers to another internal server, you’ll need to exempt the .well-known/acme-challenge folder from being proxied to the backend server.

Thank you

I think that should already be the case since it looks like only the URL path /zm is being proxied.

That being said I don’t know what’s actually going wrong here.

@Bruce69 could you share the output of the following command?

sudo apachectl -S


Thank you for replying. Here is the response

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server (/etc/apache2/sites-enabled/000-cctv.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/000-cctv.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex proxy: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: "/var/run/apache2/"
User: name="www-data" id=33
Group: name="www-data" id=33

Hmm, so you have two VirtualHosts for the same name and port in two different files (000-cctv.conf and 000-default.conf) - I guess that might be confusing certbot. Is that how you intended to configure it? I don’t think they can both function at the same time - if you don’t need one, try disabling it with a2dissite and see if that helps.

I was just following some guide. its my first time setting this up for a home cctv system. should i delete 000-default.conf?

If you’re not using it, yes. Just delete /etc/apache2/sites-enabled/000-default.conf which should be a symbolic link - don’t delete the actual file it links to, just in case.

That worked, installed the cert etc however when you go to or it does not work.

You may need to configure your router to forward port 443 to the Apache server. Since the validation worked I guess you already did port 80, so just repeat whatever you did to make that work, but on port 443.

Thank you thats solved it

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.