Certificates file permission.

Issues related to applications and software problems
Post Reply
hack3rcon
Posts: 329
Joined: 2014/11/24 11:04:37

Certificates file permission.

Post by hack3rcon » 2019/03/15 07:28:58

Hello,
I generated SSL Certificates with below commands:

Code: Select all

# openssl genrsa -des3 -out web.key 2048
# openssl req -new -key web.key -out web.csr
# openssl x509 -req -days 365 -in web.csr -signkey web.key -out web.com.crt
And in "httpd.conf" I defined below lines:

Code: Select all

SSLEngine on
SSLCertificateFile /home/web/Key/web.com.crt
SSLCertificateKeyFile /home/web/Key/web.key
And permission is:

Code: Select all

# ll
drwxrwx---. 2 apache  apache       4096 Mar 15 10:44 Key
But Apache can't start and give me below error:

Code: Select all

# cat /var/log/httpd/error_log
[Fri Mar 15 10:51:03.051543 2019] [core:notice] [pid 16574] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Mar 15 10:51:03.052578 2019] [ssl:emerg] [pid 16574] (13)Permission denied: AH02201: Init: Can't open server certificate file /home/web/Key/web.com.crt
[Fri Mar 15 10:51:03.052602 2019] [ssl:emerg] [pid 16574] AH02312: Fatal error initialising mod_ssl, exiting.
How can I solve it?

Thank you.

User avatar
TrevorH
Forum Moderator
Posts: 25064
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Certificates file permission.

Post by TrevorH » 2019/03/15 07:31:25

Put your certs in /etc/pki/tls/certs not under /home. Selinux thinks it is an attack.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

hack3rcon
Posts: 329
Joined: 2014/11/24 11:04:37

Re: Certificates file permission.

Post by hack3rcon » 2019/03/15 07:41:08

TrevorH wrote:
2019/03/15 07:31:25
Put your certs in /etc/pki/tls/certs not under /home. Selinux thinks it is an attack.
Thank you.
Apache started but I can't browse my website, it show me "Your connection is not private".
Why?

hack3rcon
Posts: 329
Joined: 2014/11/24 11:04:37

Re: Certificates file permission.

Post by hack3rcon » 2019/03/15 08:19:12

I can't use self-sign SSL?

Post Reply