38

I'm installing an nginx ssl proxy on my Fedora server.

I've created a cert and key pair under /etc/nginx. They look like this:

ls -l /etc/nginx/
total 84
...
-rw-r--r--. 1 root root 1346 Sep 20 12:11 demo.crt
-rw-r--r--. 1 root root 1679 Sep 20 12:11 demo.key

...

As root, I'm trying to start the nginx service:

systemctl start nginx.service

I get the following error:

nginx[30854]: nginx: [emerg]
SSL_CTX_use_certificate_chain_file("/etc/nginx/demo.crt") failed (SSL: error:0200100D:system     library:fopen:Permission denied...e:system lib)
nginx[30854]: nginx: configuration file /etc/nginx/nginx.conf test failed

Is there something wrong with the permissions on these files?

numb3rs1x
  • 513
  • 1
  • 4
  • 6
  • It mentions certificate chain... isn't the problem with certification authority of that demo.crt key? Or is it self-signed certificate? By the way, I don't think key file should be readable by world. Nginx should open it as root and then drop privileges to whatever user it runs as. – Aleš Krajník Sep 20 '13 at 16:31
  • It's self-signed, yes. I will change the ownership, thanks. – numb3rs1x Sep 20 '13 at 16:49
  • You assume the problem is with the certificates, but the error message applies to the configuration file for Nginx. – bbaassssiiee Mar 18 '18 at 21:30

2 Answers2

54

You probably have SELinux in enforcing mode (the default for Fedora):

sestatus -v

If this is the case, check the audit logs, you should find the access error:

ausearch -m avc -ts today | audit2allow

You also probably moved the filed instead of copying it, so the security context of the file might be wrong.

ls -lrtZ /etc/nginx/demo.*

and correct it if needed:

restorecon -v -R /etc/nginx
dawud
  • 15,096
  • 3
  • 42
  • 61
  • Thank you very much. I followed your instructions and I am no longer getting the error. I did happen to move these files from the directory in which I created them. I can create them in the same directory next time. Other than that, how do I prevent this from happening in the future? – numb3rs1x Sep 20 '13 at 16:55
  • For this specific use case, use `cp` instead of `mv` and learn to use the `audit` system to look for AVC denials. – dawud Sep 20 '13 at 16:58
  • The ausearch | audit2allow command. Did that add some permissions to selinux or was that just to confirm that selinux was the problem? – numb3rs1x Sep 20 '13 at 17:09
  • It was just to confirm. Read their respective manual pages for the details. – dawud Sep 20 '13 at 18:16
  • 5
    Wow, thanks! It's good to have an answer which isn't just 'disable SELinux'. – BCran May 19 '15 at 21:09
  • I have the very same error, but I doubt your solution applies to me: none of *all* the commands suggested there work for me. Using Ubuntu 14.04. You say > "the security context of the file might be wrong", could be be more specific on this point? – Augustin Riedinger Apr 21 '16 at 13:35
  • The security context refers to the Mandatory Access Control of the file. It is relevant if you have a Linux Security Module active in your system. In the case of Ubuntu, that would normally be AppArmor, not SELinux. – dawud Apr 21 '16 at 13:54
12

I guess it's SELinux that denies permission. Check their SELinux context. Theirs should be httpd_config_t. If not, run

restorecon /etc/nginx/demo.*

or

chcon httpd_config_t /etc/nginx/demo.*

as root.

You can check logs under /var/log/audit/ to see if it's SELinux that denies permission. You can also run

setenforce 0

to set SELinux into permissive mode. This way, SELinux still generates AVC messages (in /var/log/audit/) but permits access.

jdh8
  • 281
  • 1
  • 4