Wednesday 29 June 2016

SELinux issue with Apache certificates

So you are setting up Apache SSL (mod_ssl) and installing the certificates in /etc/pki/tls/certs and have configured your ssl.conf file to point at them. Starting or restarting Apache then give you these errors: 
# tail /var/log/httpd/error_log
[Wed Jun 29 16:07:55.097464 2016] [auth_digest:notice] [pid 6159] AH01757: generating secret for digest authentication ...
[Wed Jun 29 16:07:55.098146 2016] [lbmethod_heartbeat:notice] [pid 6159] AH02282: No slotmem from mod_heartmonitor
[Wed Jun 29 16:07:55.098646 2016] [ssl:emerg] [pid 6159] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information
[Wed Jun 29 16:08:26.608731 2016] [core:notice] [pid 16249] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed Jun 29 16:08:26.609618 2016] [suexec:notice] [pid 16249] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 29 16:08:26.610045 2016] [ssl:emerg] [pid 16249] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information

# tail /var/log/httpd/ssl_error_log
[Wed Jun 29 16:07:55.098595 2016] [ssl:emerg] [pid 6159] AH01895: Unable to configure verify locations for client authentication
[Wed Jun 29 16:07:55.098617 2016] [ssl:emerg] [pid 6159] SSL Library Error: error:0200100D:system library:fopen:Permission denied (fopen('/etc/pki/tls/certs/QuoVadisEVRootCertificate.crt','r'))
[Wed Jun 29 16:07:55.098626 2016] [ssl:emerg] [pid 6159] SSL Library Error: error:2006D002:BIO routines:BIO_new_file:system lib
[Wed Jun 29 16:07:55.098634 2016] [ssl:emerg] [pid 6159] SSL Library Error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
[Wed Jun 29 16:08:26.610008 2016] [ssl:emerg] [pid 16249] AH01895: Unable to configure verify locations for client authentication
[Wed Jun 29 16:08:26.610024 2016] [ssl:emerg] [pid 16249] SSL Library Error: error:0200100D:system library:fopen:Permission denied (fopen('/etc/pki/tls/certs/QuoVadisEVRootCertificate.crt','r'))
[Wed Jun 29 16:08:26.610032 2016] [ssl:emerg] [pid 16249] SSL Library Error: error:2006D002:BIO routines:BIO_new_file:system lib
[Wed Jun 29 16:08:26.610041 2016] [ssl:emerg] [pid 16249] SSL Library Error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
Then running this command will fix the problem: 
# restorecon -RvF /etc/ssl/certs/
restorecon reset /etc/pki/tls/certs/QuoVadisEVIntermediateCertificate.crt context unconfined_u:object_r:user_home_t:s0->system_u:object_r:cert_t:s0
restorecon reset /etc/pki/tls/certs/localhost.crt context unconfined_u:object_r:cert_t:s0->system_u:object_r:cert_t:s0
restorecon reset /etc/pki/tls/certs/QuoVadisEVRootCertificate.crt context unconfined_u:object_r:user_home_t:s0->system_u:object_r:cert_t:s0
restorecon reset /etc/pki/tls/certs/redcapbrtc.crt context unconfined_u:object_r:cert_t:s0->system_u:object_r:cert_t:s0
Posted by at No comments:
Subscribe to: Posts (Atom)