[CentOS] httpd ssl problems

Larry Martell larry.martell at gmail.com
Wed Jul 10 17:24:17 UTC 2013 

On Wed, Jul 10, 2013 at 10:51 AM, Nemrow, Jason <Jason.Nemrow at enmu.edu> wrote:
> Yep. I disabled SELinux and everything is working now for ssl and apache.  I will have to look later and study up on how to make SELinux work with this setup.

It's always selinux ;-)

If you install the selinux utilities (policycoreutils-python) then you
can use them to set up the security polices. Look in
/var/log/audit/audit.log for the offending lines and then use commands
like this, for example this is what I had to do to allow mysqld to
run:

        sudo audit2allow -a -m mysqld > /tmp/mysqld.te
        sudo checkmodule -M -m /tmp/mysqld.te -o /tmp/mysqld.mod
        sudo semodule_package -o /tmp/mysqld.pp -m /tmp/mysqld.mod
        sudo semodule -i /tmp/mysqld.pp

>
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Larry Martell
> Sent: Tuesday, July 09, 2013 3:10 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] httpd ssl problems
>
> On Tue, Jul 9, 2013 at 3:06 PM, Nemrow, Jason <Jason.Nemrow at enmu.edu> wrote:
>> -----Original Message-----
>> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
>> Behalf Of Larry Martell
>> Sent: Tuesday, July 09, 2013 3:00 PM
>> To: CentOS mailing list
>> Subject: Re: [CentOS] httpd ssl problems
>>
>> On Tue, Jul 9, 2013 at 2:56 PM, Nemrow, Jason <Jason.Nemrow at enmu.edu> wrote:
>>> Not much of a noob, but I will try.
>>>
>>> I just configured httpd and installed mod_ssl and got my certificate from GoDaddy and put them on the server with ssl.conf pointing at them.  I am getting this error:
>>>
>>> SSLCertificateFile: file '/etc/pki/tls/certs/enmu.edu.crt' does not
>>> exist or is empty
>>>
>>> It's a cute error. I have checked several times for misspellings, looked at the enmu.edu.crt file (looks like a cert to me) and I can certify that it is not empty and it most certainly exists. Want some proof? Here...
>>>
>>> [root at itsnv607 ~]# ls -l /etc/pki/tls/certs total 1224
>>> -rw-r--r--. 1 root   root   571450 Apr  7  2010 ca-bundle.crt
>>> -rw-r--r--. 1 root   root   651083 Apr  7  2010 ca-bundle.trust.crt
>>> -rw-r--r--. 1 apache apache   1874 Jul  9 11:54 enmu.edu.crt
>>> -rwxr-xr-x. 1 root   root     3197 Jul  9 11:54 gd_bundle.crt
>>> -rw-------. 1 root   root     1164 Jul  8 14:33 localhost.crt
>>> -rwxr-xr-x. 1 root   root      610 Feb 21 16:45 make-dummy-cert
>>> -rw-r--r--. 1 root   root     2242 Feb 21 16:45 Makefile
>>> -rwxr-xr-x. 1 root   root     1131 Jul  9 11:52 www.enmu.edu.csr
>>> -rwxr-xr-x. 1 root   root     1708 Jul  9 11:52 www.enmu.edu.key<http://www.enmu.edu.key>
>>>
>>> Just for fun, I started playing with permissions, just in case that mattered (it didn't). You can see that enmu.edu.crt is there, where it is supposed to be, and is not empty.
>>>
>>> What would cause this error besides what it actually says?
>
>> Permissions on the dir? selinux?
>
>> Well, I don't see a problem with permissions on the directory (the certs directory):
>>
>> [root at itsnv607 ~]# ls -l /etc/pki/tls
>> total 24
>> lrwxrwxrwx. 1 root root    19 Jul  8 14:31 cert.pem -> certs/ca-bundle.crt
>> drwxr-xr-x. 2 root root  4096 Jul  9 12:57 certs drwxr-xr-x. 2 root
>> root  4096 Jul  8 14:32 misc -rw-r--r--. 1 root root 10906 Oct 12
>> 2012 openssl.cnf drwxr-xr-x. 2 root root  4096 Jul  8 14:33 private
>>
>> I am reading up on SELinux to see if it's mucking things up...
>
> As a quick test you can disable it and see if that fixes it.
>
> echo 0 >/selinux/enforce
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
> ________________________________
>
>
>
>
> Confidentiality Notice:
>
> This e-mail, including all attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information as defined under FERPA. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list