0

I recently created my own CA and issued my first root cert, then intermediate, then finally a server cert/key/chain for apache.

When i switch from the letsencrypt certs added with certbot to the self generated certs, apache fails to start with:

Dec 20 07:52:07 test setroubleshoot[4859]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /root/ca/intermediate/certs/www.inthingslimited.com

I'm wondering if maybe its some of the letsencrypt defaults causing me headaches or is it simply that the certs dont trace back to a registered CA?

I've read that i could disable SELinux but I think it would be better to find a solution that allowed me to leave SELinux alone.

Thanks for any pointers.

David Menache
  • 21
  • 1
  • 5
  • output from journalctl -xe – David Menache Dec 20 '18 at 16:09
  • This msg is in the journlctl -xe output but the ausearch command just hangs. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -i my-httpd.pp – David Menache Dec 20 '18 at 16:16
  • setenforce 0 disables SELinux and apache service starts. Im guessing SELinux doesn't like certs not from a registered CA. – David Menache Dec 20 '18 at 16:28

1 Answers1

1

SELinux does not allow Apache to access anything in the /root directory, full stop. It doesn't matter if it's certificates, web site static files, or anything else.

To solve the problem, copy the certificate files into appropriate directories under /etc/pki/tls.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Well I looked into that and I'm not sure that was the issue. The domain was functioning properly with the letsencrypt certs added via certbot to /etc/letsencrypt/live/www.inthingslimited.com/ and that is where I placed my self signed certs (I also made sure to duplicate the security to mimic letsencrypt certs 644) so if security was a problem wouldnt it be for the letsencrypt certs as well? – David Menache Dec 20 '18 at 19:19
  • @doapydave No, because that directory is also allowed, but you probably had the wrong file contexts due to [moving files instead of copying them](https://serverfault.com/a/801732/126632). – Michael Hampton Dec 20 '18 at 19:22
  • I copied them to /etc/pki/tls as suggested and all is well now. Your other mention about file contexts was also helpful. I will try that on the orig location i was having trouble with. it will probably fix that too. Thank you very much! – David Menache Dec 20 '18 at 21:08