0

So recently, I had to reset my server because of some issues and stuff. And now, I've been trying to set it up again and it's just not working out for me. I've installed httpd successfully and it works with my websites. But when I try to add an SSL Certificate, CentOS dares to lie to me that it doesn't exist. Here's the output of journalctl -xe;

Sep 26 17:00:11 localhost systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Sep 26 17:00:11 localhost httpd[5579]: AH00526: Syntax error on line 15 of             
/etc/httpd/enabled/msdfw.conf:
Sep 26 17:00:11 localhost httpd[5579]: SSLCertificateFile: file     
'/var/iwww/certs/msdfw/c.pem' does not exist or is empty
Sep 26 17:00:11 localhost systemd[1]: httpd.service: main process exited,     
code=exited, status=1/FAILURE
Sep 26 17:00:11 localhost kill[5581]: kill: cannot find process ""
Sep 26 17:00:11 localhost systemd[1]: httpd.service: control process exited, 
code=exited status=1
Sep 26 17:00:11 localhost systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Sep 26 17:00:11 localhost systemd[1]: Unit httpd.service entered failed state.
Sep 26 17:00:11 localhost systemd[1]: httpd.service failed.

I've checked the file and it's there. I've already tried giving all ownership to user apache, I've gaven it to group apache and changed all permissions to 777. None of it worked (and reverted permissions). I've tried lsof c.pem, but no output. This is the the VirtualHost;

<VirtualHost *:80>
    ServerName www.example.com
    ServerAlias example.com
    RewriteEngine on
    RewriteRule ^/?(.*) https://example.com/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/msdfw
    ErrorLog /var/iwww/logs/e-msdfw
    CustomLog /var/iwww/logs/c-msdfw combined
    DirectoryIndex index.php
    SSLEngine on
    SSLCertificateFile /var/iwww/certs/msdfw/c.pem
    SSLCertificateKeyFile /var/iwww/certs/msdfw/p.key
    SSLCertificateChainFile /var/iwww/certs/msdfw/b.pem
    <Directory /var/www/msdfw/>
            Require all granted
    </Directory>
</VirtualHost>

I've already install mod_ssl so I don't think that's it. I've done sudo -u apache cat /var/iwww/certs/msdfw/c.pem to check if it can read it, and it can. The certificate can be properly parsed by OpenSSL. So, I'm not sure what the problem is. Anyone that can help, please give out a hand. Thanks!

Additional Information:

  • OS: CentOS Linux release 7.4.1708
  • Not sure what category this falls in, but its Minimal.
Mz.
  • 17
  • 1
  • 7
  • Is SELinux blocking it (look at your system logs)? –  Sep 27 '17 at 00:37
  • @yoonix How do I check system logs? Google answers can't seem to help me. – Mz. Sep 27 '17 at 02:57
  • Did you check the second part of error message (or empty)? You might check the cert file using `openssl x509 -inform PEM -in /var/iwww/certs/msdfw/c.pem -noout -text` – TomTomTom Sep 27 '17 at 09:11
  • @TomTomTom As I've said already, OpenSSL parses it correctly without error. – Mz. Sep 27 '17 at 14:29

3 Answers3

1

I know this is an old thread, but I had a similar issue on my system. I am using OL8 with Apache as a web server. Nothing I did will work. Until I ran the this command:

sudo chcon -R -t httpd_config_t letsencrypt/

My issue was that SELinux was blocking the request.

The learning is that anything that need to be run by Apache must have httpd_config_t set at a minimum.

mforsetti
  • 2,666
  • 2
  • 16
  • 20
Herve Fotso
  • 11
  • 1
1

It seems I was wrong. It has to do with the certificates labeled system_u or unconfined_u. They have to be labeled system_u to be read by httpd.

Find out how to change labels here.

Mz.
  • 17
  • 1
  • 7
0

So... I've sort of fixed the problem, but not completely. I tried to remove the c.pem to see if it still recognizes the directory and give me some error that says;

/var/iwww/certs/msdfw/: Is a directory

But it didn't. Still same error. So I was being stupid and put in;

SSLCertificateFile whoami

Yeah, I don't know what I was thinking. But it said no file in /etc/httpd/whoami or is empty. Anyways, I moved it all to /etc/httpd/certs/msdfw/ and reconfigured the VirtualHost.

And it worked...

TL;DR: If you're getting this and nothing else is working, move it to /etc/httpd.

Mz.
  • 17
  • 1
  • 7
  • Which leads me to my next question. [Why doesn't it accept absolute paths?](https://serverfault.com/questions/875840) – Mz. Sep 27 '17 at 21:06