[support] dlandon - Zoneminder 1.36


Recommended Posts

21 hours ago, blaine07 said:

 


Using Letsencrypt to reverse proxy?

 

Yes.... 

 

I resolved the certificate error by copying the certs from my nginx/letsencrypt docker to my zoneminder keys.... so now i get a untrusted cert error instead of a root revocation error. This lets me get into zoneminder.

 

Now all I need is a properly configured subdomain reverse proxy configuration to have everything working correctly. Anyone have soem examples? ie: https://zoneminder.mydomain.com vs https://myserver.mydomain.com/zm ?

 

 

 

Edited by ridewithjoe
Link to comment
Yes.... 
 
I resolved the certificate error by copying the certs from my nginx/letsencrypt docker to my zoneminder keys.... so now i get a umtrusted cert error instead of a root revocation error. This lets me get into zoneminder.
 
Now all I need is a properly configured subdomain reverse proxy configuration to have everything working correctly. Anyone have soem examples? ie: https://zoneminder.mydomain.com vs https://myserver.mydomain.com/zm ?
 
 
 

Inside Letsencrypt their should be a ZoneMinder. Subdomain.conf that should work without many changes?
Link to comment
3 hours ago, blaine07 said:


Inside Letsencrypt their should be a ZoneMinder. Subdomain.conf that should work without many changes?

Unfortunately, even though there are a ton of configs, zoneminder.subdomain.conf is not there.  I'll try and find it online. 

 

EDIT: Oddly enough.... I cannot seem to find a location with zoneminder.subdomain.conf anywhere.... .wonder if it was removed for some reason. Even reinstalled the letsencrypt docker and that config is not present in the list at all.

Edited by ridewithjoe
Link to comment
  • 5 weeks later...

Hi there,

First of all, the all inclusive docker is EPIC! thanks for your hard work building (actually moving back from Shinobi to Zoneminder for the object detection stuff!) 

[if anyone cares I was using Deepstack docker with HA + Shinobi]

 

Could someone who understands certificates a little more offer some guidance? I'm using a reverse proxy to access all my dockerized services, and accessing ZM perfectly from outside using `https://subdomain.domain.com/zm` The Cert for that I purchased a wildcard cert (so SAN wouldn't be an issue). 

 

I have the reverse proxy set up to forward https://sub.domain.com/zm (443) to http://<ZM_IP>:8080/zm (as above works fine). would be nice to have apache auto forward to the /zm URL (but thats for another day)

2 things i'm unsure of to get alerts if someone can point me in the right direction:
1. There are 2 sets of certs listed: 
   a) in secrets.ini (ES_CERT_FILE) - assuming this is the cert purely for the EventService. This seems a little more complicated to set up (events are hitting ZMNinja on my iphone, but no notifications/alerts. I can't figure out what needs to be set up for "wss://<ZM_IP>:9003" when using an external FQDN address.

I have simply created another `https://ESSubdomain.domain.com` reverse proxy, secured with the same wildcard cert? Is a positive result getting events to show in ZMninja on my iOS device? As i'm not getting notifications.

I have set the following (as I dont need SSL internally as my reverse proxy secures the traffic to the site)

[ssl]

enable = no


   b) Then there are 2 self signed certs in the 'keys' folder (assuming these aren't needed if using http (port 8080:80) - and this is used as a cert for the apache webserver?



Assuming that will solve alerts, i'm also not seeing proper hook usage. 

I'm seeing the zmeventservice invoke the hook script with the event number, the monitor ID & name. Then seeing hook script returned with exit:1 - but nothing downstream of that.
 

Link to comment
5 hours ago, Jaburges said:

Then there are 2 self signed certs in the 'keys' folder (assuming these aren't needed if using http (port 8080:80) - and this is used as a cert for the apache webserver?

You only need one certificate for Zonemider and the event server (ES).  The secrets.ini file tells the ES where the certs are located.  Leave it at the default settings.  Replace the cert in the /keys folder with the ones you want to use.  Be sure the crt and key file have the same names as the default.

 

One is the certs fie and the other is a key file.  Both are needed,  I don't recommend you use port 80 outside your lan.

 

You need to enable the installation and configuring of hook processing with the hook environment variables.  See the first post for details.

 

Check the docker log to see if there are any errors.

Link to comment
1 minute ago, dlandon said:

You only need one certificate for Zonemider and the event server (ES).  The secrets.ini file tells the ES where the certs are located.  Leave it at the default settings.  Replace the cert in the /keys folder with the ones you want to use.  Be sure the crt and key file have the same names as the default.

 

One is the certs fie and the other is a key file.  Both are needed,  I don't recommend you use port 80 outside your lan.

 

You need to enable the installation and configuring of hook processing with the hook environment variables.  See the first post for details.

 

Check the docker log to see if there are any errors.

Thanks for the reply. Think i need to do a bit more reading on the certificate front. 
My wildcard cert consists of a .crt (which if i understand correctly is the public signed version of my private key (from my synology box). So not sure what I would use for the .key file (unless i use the same key file as the private key from the synology box, but not sure how that works when its being used on a different box - I was under the impression the wildcard cert validates all traffic through the synology box to the reverse proxy end points. I may need to generate letsencrypt certs to use for the notifications).

 

I've enabled the hook processing, and script - but will take another look at what i'm missing. 

Thanks again! 

Link to comment
2 minutes ago, Jaburges said:

Thanks for the reply. Think i need to do a bit more reading on the certificate front. 
My wildcard cert consists of a .crt (which if i understand correctly is the public signed version of my private key (from my synology box). So not sure what I would use for the .key file (unless i use the same key file as the private key from the synology box, but not sure how that works when its being used on a different box - I was under the impression the wildcard cert validates all traffic through the synology box to the reverse proxy end points. I may need to generate letsencrypt certs to use for the notifications).

 

I've enabled the hook processing, and script - but will take another look at what i'm missing. 

Thanks again! 

Remove the files from the /keys folder and restart ZM.  The self signed cert wlll be recreated.  Get ZM and the event server working properly without the proxy then work on generating your cert and adding the proxy.  Don't start off with the proxy and your own cert.  You won't be able to tell what is not working.

Link to comment

Right now SSL is completely disabled for ZM as internally its only http traffic is accessing it (local IP address), but externally https traffic via the reverse proxy is accessing it.

I've connected successfully from both internally (using direct IP address on http) 
and also externally https (443) then routed to http 
However, in your docs you make reference to the notifications needing a specific cert set up, but I cant figure out what is needed from my particular set up. I'm going out on a limb and if its a similar alerting system to the android app in HomeAssistant that needed a publicly signed cert for the alert to hit the mobile device.

I see events on my iOS device, but i dont get any alerts (and my tokens.txt file is empty) so leads me to believe that the alerting service isnt registering my device.

As I work through this i'll try and put a guide together as well for future users

Link to comment
9 minutes ago, Jaburges said:

However, in your docs you make reference to the notifications needing a specific cert set up, but I cant figure out what is needed from my particular set up.

ZM and ES can use the same cert.  The self signed cert works.  You don't need different certs.

 

Make sure you forward port 9000 to the ZM docker.  That's the port used for ES alerts.  Once it is set up properly, you'll see the token in he tokens file.

 

 

Link to comment

ok, will try the self signed certs. I was basing the info from this:

Quote

Push notifications with images will not work unless you replace the self-signed certificates that are auto-generated. Feel free to use the excellent and free LetsEncrypt service if you'd like.

also on closer inspection (and maybe i'm not understanding the certificate set up) but there are 4 certs that exist. 

in the default secrets.ini:

ES_CERT_FILE = /etc/apache2/ssl/zoneminder.crt

ES_KEY_FILE = /etc/apache2/ssl/zoneminder.key

 

This is also referenced in zmeventnotification.ini by invoking the secrets.ini above !ES_CERT_FILE !ES_KEY_FILE

 

However the self signed certs are located in /config/keys/cert.crt & cert.key 
but these don't seem to be referenced anywhere in the ini files? 

Link to comment
21 minutes ago, Jaburges said:

ok, will try the self signed certs. I was basing the info from this:

also on closer inspection (and maybe i'm not understanding the certificate set up) but there are 4 certs that exist. 

in the default secrets.ini:

ES_CERT_FILE = /etc/apache2/ssl/zoneminder.crt

ES_KEY_FILE = /etc/apache2/ssl/zoneminder.key

 

This is also referenced in zmeventnotification.ini by invoking the secrets.ini above !ES_CERT_FILE !ES_KEY_FILE

 

However the self signed certs are located in /config/keys/cert.crt & cert.key 
but these don't seem to be referenced anywhere in the ini files? 

You are way over analyzing.  The ZM cert mapping is /etc/apache2/ssl/ inside the docker.  Because I want to have the cert survive an update, they are physically placed in /appdata/Zoneminder/keys/.  Inside the docker there is a symlink from /etc/apache2/ssl/ to /config/keys/.  All the references you see all point to the same cert files in /appdata/Zoneminder/keys.

 

Stop worrying about the cert right now.  You can get events to work with the self signed cert.  If you can see the live video on your device, the cert is working.  The next step is to forward port 9000 and get events to trigger on your device.  Start out by using the default zmeventserver.ini.  Don't change anything until the events are being triggered on your device.  Once that is done, you can move towards getting a proper certificate.

Link to comment
7 hours ago, dlandon said:

You are way over analyzing.  The ZM cert mapping is /etc/apache2/ssl/ inside the docker.  Because I want to have the cert survive an update, they are physically placed in /appdata/Zoneminder/keys/.  Inside the docker there is a symlink from /etc/apache2/ssl/ to /config/keys/.  All the references you see all point to the same cert files in /appdata/Zoneminder/keys.

 

Stop worrying about the cert right now.  You can get events to work with the self signed cert.  If you can see the live video on your device, the cert is working.  The next step is to forward port 9000 and get events to trigger on your device.  Start out by using the default zmeventserver.ini.  Don't change anything until the events are being triggered on your device.  Once that is done, you can move towards getting a proper certificate.

I left everything to default (with the exception of port 9000 as I had to use 9003) docker -p 9003:9000 

(confirmed working in the docker log:

INF [Secure WS(WSS) is enabled...]

INF [Web Socket Event Server listening on port 9003]

 

I am seeing events in the list on my iOS device, but getting the following error in the logs:

Failed to connect to WebSocket: code: 1006, reason: undefined, exception: The operation couldn't be completed. Connection refused.

 

This is using all local network IP (not involving the reverse proxy) and when using eventserver URL in my iOS ZMNinja app "wss://192.168.X.X:9003" as the event server URL. 

The local cert.crt is also installed on the iOS device in case that was required.

ServerName i've tried both "localhost" and "192.168.X.X"

 

I have checked the owner of the /push folder and tokens.txt is www-data 

 

I've also disabled secure websockets and dropped back to non secure: ws://192.168.X.X:9003 and I get the same error.

ZM_PORTAL=http://192.168.X.X:8080/zm and connects fine auth

ZM_USER and !ZM_PASS

 

I've also tested the connection directly with a chrome websocket extension and get the same 1006 error. 

"The connection was terminated uncleanly with status code 1006 (ABNORMAL)"

 

Struggling to figure out why the eventserver is refusing the connection? next stop is to tear down the docker and start again. Any thoughts?

I could only find this: https://github.com/pliablepixels/zmeventnotification/issues/32

Link to comment
16 minutes ago, Jaburges said:

No luck as of yet. Is there anyway to update zmeventnotification.pl inside the docker to the newer/previous version? 

Unfortunately, it's not that simple.  There are a lot of background changes.  You should go ahead and install version 1.33.  It's still under development, but I am using it and it works very well.  It has the latest ES installed.

 

 

Link to comment
On 1/8/2020 at 8:06 PM, dlandon said:

Unfortunately, it's not that simple.  There are a lot of background changes.  You should go ahead and install version 1.33.  It's still under development, but I am using it and it works very well.  It has the latest ES installed.

 

 

confirmed your 1.32 docker update with 5.4 zmeventnotification works using WSS (internally and externally using NGINX)

I moved it to a separate VM so could use port 9000. Can't confirm if that was the issue though (even though alt port was set in .ini before) 

Here is my set up and install with HomeAssistant in case it helps someone else. Thanks for building this!

Link to comment

Zoneminder 1.34 has been released.  I am building the docker for 1.34.  All you have to do is update the docker and 1.34 will be installed and your database converted.  Everything should work without any problems.  You will have to set your time zone in the Options->System.

  • Like 1
Link to comment
Zoneminder 1.34 has been released.  I am building the docker for 1.34.  All you have to do is update the docker and 1.34 will be installed and your database converted.  Everything should work without any problems.  You will have to set your time zone in the Options->System.


Thanks for all your hard work keeping this going for us mate!
Link to comment
Zoneminder 1.34 has been released.  I am building the docker for 1.34.  All you have to do is update the docker and 1.34 will be installed and your database converted.  Everything should work without any problems.  You will have to set your time zone in the Options->System.


Installed the new build and everything I’ve tried works as expected with ZM and ZMeventserver.

Great work, Thank you :)
Link to comment
15 minutes ago, Sic79 said:

 


Installed the new build and everything I’ve tried works as expected with ZM and ZMeventserver.

Great work, Thank you :)

 

Thanks for the feedback.  I've been using the master build (pre 1.34) for the last month and it has been working quite well.

Link to comment
  • dlandon changed the title to [support] dlandon - Zoneminder 1.36

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.