Setting SSL variables

Forum for questions and support relating to the 1.34.x releases only.
Post Reply
SkippyDo
Posts: 219
Joined: Mon Nov 20, 2017 6:49 pm

Setting SSL variables

Post by SkippyDo »

In pursuit of some API issues (viewtopic.php?f=40&t=29428&sid=68a54a38 ... 4da7d13e36 ) I started digging through php code and found that database.php.default references three ZM SSL variables:

Code: Select all

'ssl_ca' => ZM_DB_SSL_CA_CERT,
'ssl_key' => ZM_DB_SSL_CLIENT_KEY,
'ssl_cert' => ZM_DB_SSL_CLIENT_CERT,
For ZM I was setting the following in a custom conf file (located under zm/conf.d):

Code: Select all

ZM_DB_SSL_CLIENT_CERT=/etc/letsencrypt/live/<server FQDN>/fullchain.pem
ZM_DB_SSL_CLIENT_KEY=/etc/letsencrypt/live/<server FQDN>/privkey.pem
ZM fails to start if I add a line for ZM_DB_SSL_CA_CERT.


Also, can anyone tell me what files are for which variable when dealing with certs issued from LetsEncrypt? There are four files:

cert.pem
chain.pem
fullchain.pem
privkey.pem

This is what I have in my apache2/apache2/sites-enabled/000-default-le-ssl.conf file (and I believe that it's working OK):

Code: Select all

ServerName <server FDQN>
SSLCertificateFile /etc/letsencrypt/live/<server FQDN>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<server FDQN>/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
User avatar
burger
Posts: 390
Joined: Mon May 11, 2020 4:32 pm

Re: Setting SSL variables

Post by burger »

Per subject title,

The self certs in ZM work without any need to configure php vars in zm.conf files. I understand you are having an issue with the API, but making a new thread with a broad subject will confuse other newcomers who are searching for ssl help. When a layman is setting up ZM with SSL, only apache needs configuration. I assume lets encrypt is the same as the self certs.
Also, can anyone tell me what files are for which variable when dealing with certs issued from LetsEncrypt? There are four files:
Try the lets encrypt forums, or just search online (that is easily available information).
fastest way to test streams:
ffmpeg -i rtsp://<user>:<pass>@<ipaddress>:554/path ./output.mp4 (if terminal only)
ffplay rtsp://<user>:<pass>@<ipaddress>:554/path (gui)
find paths on ispydb or in zm hcl

If you are new to security software, read:
https://wiki.zoneminder.com/Dummies_Guide
SkippyDo
Posts: 219
Joined: Mon Nov 20, 2017 6:49 pm

Re: Setting SSL variables

Post by SkippyDo »

As I noted, ZM components are referencing THREE variables associated with SSL. In 1.30.4 I used TWO (configured in zm.conf).

Yes, I am having API issues. That is why I am asking why a packaged component is showing three ZM-specific variables associated with SSL. Perhaps you aren't aware of this?
User avatar
knight-of-ni
Posts: 2404
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: Setting SSL variables

Post by knight-of-ni »

SkippyDo wrote: Wed May 27, 2020 2:51 pm As I noted, ZM components are referencing THREE variables associated with SSL. In 1.30.4 I used TWO (configured in zm.conf).

Yes, I am having API issues. That is why I am asking why a packaged component is showing three ZM-specific variables associated with SSL. Perhaps you aren't aware of this?
You are confusing SSL communication to the database with SSL communication to a web browser.

For browser based SSL, do not modify the three ZM_DB_SSL_* variables. As the names imply, those variables are intended to set up secure communication to a (remote) database, which isn't what you want.

When you ran letsencrypt (or certbot) for the first time on your system, it modified your apache configuration for you. As you noted, it seems to be working correctly (as long as Chrome or Firefox agree).

I'm using certbot to manage the certificates on multiple sites running zoneminder, and the API works, without issue, after setting up the certificates.

I'm not sure this has got anything to do with the unamed API issue you are experiencing.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/
User avatar
knight-of-ni
Posts: 2404
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: Setting SSL variables

Post by knight-of-ni »

And I keep thinking to myself, it's no longer SSL these days... it's TLS ....but let's just roll with it. :-)
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/
SkippyDo
Posts: 219
Joined: Mon Nov 20, 2017 6:49 pm

Re: Setting SSL variables

Post by SkippyDo »

OK, MANY thanks for the clarification!
Post Reply