5

I'm attempting to install Apache with SSL on CentOS6 to use as a development server.

I've been following the directions posted here to get SSL working: http://wiki.centos.org/HowTos/Https (Note: Apache was working fine until I attempted to enable SSL.)

When I got to part about re-starting Apache, the server wouldn't start. I just get an error which follows:

[Mon Feb 13 18:31:36 2012] [error] (13)Permission denied: Init: Can't open 
 server certificate file /etc/pki/tls/certs/ca.crt

I saw that the reported certificate was owned by my user and my group, so I changed it to root:root but it made no difference. I'm not sure what else to try or what to look at. Thanks.

Note: My questions is similar to this but the error is different.

Community
  • 1
Frank V
  • 449
  • 4
  • 15
  • 1
    What is the result of running getenforce? Did you use copy like the docs say when creating the certificate? – becomingwisest Feb 14 '12 at 02:42
  • 1
    "getenforce" returns "Enforcing" – Frank V Feb 14 '12 at 02:44
  • Yes, I double checked that it was a copy. – Frank V Feb 14 '12 at 02:44
  • 1
    Christopher -- apparently that was it, in a way. I want to give you credit for the answer. Could you write something along the lines of using the restorecon piece? When you posted that, I recalled that there were directions to run `restorecon -RvF /etc/pki`. I ran this as a precaution and now the server starts. – Frank V Feb 14 '12 at 02:50

1 Answers1

11

So for anyone who doesn't understand what the answer actually is here:

This is an selinux issue. Files can have different selinux "contexts" and a file with the wrong context will be unreadable by the httpd daemon even if the regular permissions are correct. In my case, the solution was to do the following:

chcon --reference /file/with/correct/context /path/to/certificate/file

Which will copy the context from the referenced file to the certificate. In case you don't have a file you can reference, the slightly trickier way (because of having to type it out) to set the correct context is:

chcon unconfined_u:object_r:httpd_config_t:s0 /path/to/certificate/file
saturdayplace
  • 263
  • 1
  • 3
  • 10
  • One might encounter this issue when uploading the key file as a regular user, then using `sudo mv` (with requisite `sudo chown`) to install. Safest route is to `cat > /path/to/file.crt < /path/to/source.crt`. – bishop Oct 31 '14 at 00:32