15

I am enabling ssl on my apache running on localhost. I generated a self signed certificate and put it in a usual place:

[david@david web]$ ll /etc/ssl/certs/
...
-rwxrwxrwx. 1 david david    977 Mar  7 13:18 localhost.crt
-rwxrwxrwx. 1 david david    712 Mar  7 13:16 localhost.csr
-rwxrwxrwx. 1 david david    963 Mar  7 13:12 localhost.key

But when I restart Apache, the server fails and I receive the following in the error log:

[Fri Mar 07 13:29:17 2014] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Fri Mar 07 13:29:17 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Mar 07 13:29:17 2014] [error] (13)Permission denied: Init: Can't open server private key file /etc/ssl/certs/localhost.key

The permissions look ok to me, what am I doing wrong?

David Williams
  • 8,388
  • 23
  • 83
  • 171

2 Answers2

53

This is because you probably uploaded the file(s) first to one of your home directories and then moved them somewhere in the /etc directory. To correct the context of this file, execute the following command:

restorecon -RvF /etc/ssl/certs/

and restar Apache service httpd restart.

Hope it helps.

Sfblaauw
  • 1,556
  • 18
  • 21
  • 1
    restorecon did the trick for me! I was about to disable selenix. Upvoted. – krinker Jun 16 '17 at 13:19
  • 3
    Thanks! Also "restorecon -RvF /etc/ssl/private/" was necessary for me. – Charles Tempo Aug 16 '19 at 08:48
  • This `restorecon -RvF /etc/ssl/certs/` just rescued me from a 7 hours of wasted efforts. Thanks for putting this out here – Peter Jul 30 '20 at 21:36
  • I have to comment even though it's old, you saved me after days of frustration! thanks – MatanyaP Jan 05 '22 at 08:53
  • Life Saver, I struggle since sept last year and get no luck, I read through the doc, `chmod` and `chown` both cert and key ... Both with no luck. What struggle me most was one of the VirtualHost does not record any error, while the other (using same key and cert file) can't open the key! It doesn't even say permission error! only "can't open" and "failed to config" – jimmymcheung Jan 23 '23 at 22:09
0

David,

I would suggest first to change the permissions and ownership on the key file

Change ownership:sudo chown root:root localhost.key
Change permissions:sudo chmod 600 localhost.key

To fix the problem, I needed to remove the passphrase from the key

Remove passphrase: openssl rsa -in localhost.key -out localhost_nopp.key

After that, just change the SSLCertificateKeyFile parameter to point to localhost_nopp.key and restart Apache.

I am guessing this produces a "clean" file that Apache is now happy to use. Since this appears to a development/test environment, the assumption is that removing the passphrase will not cause a major security issue.

Thanks,

John

jboles
  • 111
  • 2
  • 4