CentOS6 - Apache2 working but when installing / enabling SSL, server won't start because of permissions error

apache-2.2 centos ssl centos6 mod-ssl

7,725

So for anyone who doesn't understand what the answer actually is here:

This is an selinux issue. Files can have different selinux "contexts" and a file with the wrong context will be unreadable by the httpd daemon even if the regular permissions are correct. In my case, the solution was to do the following:

chcon --reference /file/with/correct/context /path/to/certificate/file

Which will copy the context from the referenced file to the certificate. In case you don't have a file you can reference, the slightly trickier way (because of having to type it out) to set the correct context is:

chcon unconfined_u:object_r:httpd_config_t:s0 /path/to/certificate/file

7,725

skimberk1

Software Engineer, professionally - I work face-to-face with clients on a variety of software technologies (React, Node, .NET, PHP, MySQL, JavaScript, Python, etc). In addition, I have a particular affinity for open-source software. I study it to learn and make contributions when possible. I document my adventures at http://theOpenSourceU.org/ #SOreadytohelp

Updated on September 18, 2022

Comments

skimberk1 over 1 year
I'm attempting to install Apache with SSL on CentOS6 to use as a development server.

I've been following the directions posted here to get SSL working: http://wiki.centos.org/HowTos/Https (Note: Apache was working fine until I attempted to enable SSL.)

When I got to part about re-starting Apache, the server wouldn't start. I just get an error which follows:
```
[Mon Feb 13 18:31:36 2012] [error] (13)Permission denied: Init: Can't open 
 server certificate file /etc/pki/tls/certs/ca.crt
```
I saw that the reported certificate was owned by my user and my group, so I changed it to root:root but it made no difference. I'm not sure what else to try or what to look at. Thanks.

Note: My questions is similar to this but the error is different.
- becomingwisest over 12 years
  
  What is the result of running getenforce? Did you use copy like the docs say when creating the certificate?
- skimberk1 over 12 years
  
  "getenforce" returns "Enforcing"
- skimberk1 over 12 years
  
  Yes, I double checked that it was a copy.
- skimberk1 over 12 years
  
  Christopher -- apparently that was it, in a way. I want to give you credit for the answer. Could you write something along the lines of using the restorecon piece? When you posted that, I recalled that there were directions to run restorecon -RvF /etc/pki. I ran this as a precaution and now the server starts.
bishop over 9 years

One might encounter this issue when uploading the key file as a regular user, then using sudo mv (with requisite sudo chown) to install. Safest route is to cat > /path/to/file.crt < /path/to/source.crt.