2

nginx conf looks like this:

server {
            ssl_certificate     /etc/nginx/ssl/nginx.crt;
            ssl_certificate_key /etc/nginx/ssl/4096_SSL.key;

systemctl status nginx.service shows this:

nginx: [emerg] BIO_new_file("/etc/nginx/nginx.crt") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/nginx/nginx.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)

Why isn't nginx looking for the file in the full path specified?

84104
  • 12,905
  • 6
  • 45
  • 76
spuy767
  • 203
  • 3
  • 4
  • 11
  • 4
    Is it possible you have additional ssl_certificate commands elsewhere in your config? Either in that nginx.conf file, or an included site's config? Some `grep`ing about might help? – Christopher Karel Apr 17 '15 at 20:51
  • 2
    possible duplicate of [nginx permission denied to certificate files for ssl configuration](http://serverfault.com/questions/540537/nginx-permission-denied-to-certificate-files-for-ssl-configuration) – peelman Apr 17 '15 at 23:57
  • 3
    @peelman It may be the same error message. But the additional analysis of the problem provided in the question is different enough between the two questions for them not to be duplicates. – kasperd Apr 18 '15 at 05:59
  • 2
    Blah, indeed you are correct. I read that error message like three times but I missed the /ssl/ in the config stanza. Given that, Chris has the right idea, I'd start greping either nginx.crt or ssl_certificate in /etc and searching for duplicate directives deeper in the config. – peelman Apr 19 '15 at 02:01
  • 2
    Have you **restarted** nginx? – Alexey Ten Apr 19 '15 at 19:53
  • 3
    Did you ever work this out or get a good answer to it? – Djave Dec 12 '16 at 23:06

2 Answers2

1

Most probably you had backup file starting with "~" (usually backup from nano or other text editor) with old configuration under /etc/nginx/sites-enabled/

cytrus
  • 11
  • 1
  • It's been so long ago since I asked this question that I don't even remember what the solution was. I don't believe this was it, but this happens frequently enough, especially when I've been disconnected form remote servers, that it deserves a bit of recognition.And welcome to the site. – spuy767 Mar 07 '19 at 14:10
-5

Selinux must be disabled. That work for me

Gonzalo Martino
  • 1
  • 7
    That's a terrible solution. You should adapt your Selinux policy or move your certificate to an appropriate location. – Brennen Smith Jul 24 '19 at 22:36