When I set the SSL self-signed certificate in Apache, there was a clogged part, so I will leave it as a memorandum.
First, issue a certificate with the following command.
openssl ecparam -name prime256v1 -genkey -out server.key
openssl req -new -key server.key > server.csr
openssl ca -in server.csr -out server.crt
Move the created certificate and private key.
mv server.crt /etc/httpd/conf/ssl.crt/server.crt
mv server.key /etc/httpd/conf/ssl.key/server.key
Specify the storage location of the certificate and private key.
vi /etc/httpd/conf.d/ssl.conf
--snip--
<VirtualHost *:443>
--snip--
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
--snip--
An error occurs when restarting.
systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Looking at journalctl -xe gives no information. .. .. Checking / var / log / httpd / error_log gives a Permission related error. Apparently SELINUX is bad.
/var/log/httpd/error_log
[Thu Apr 02 10:02:29.534751 2020] [ssl:emerg] [pid 19565] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Apr 02 10:02:33.453638 2020] [core:notice] [pid 19576] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Apr 02 10:02:33.455370 2020] [suexec:notice] [pid 19576] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Apr 02 10:02:33.455600 2020] [ssl:emerg] [pid 19576](13)Permission denied: AH02201: Init: Can't open server certificate file /etc/httpd/conf/ssl.crt/wild_server.crt
After investigating, it seems that SELinux's security policy does not give each file an appropriate label. You can check the label with the "ll -Z" command.
[root@149_centos ssl.key]# ll -Z
-rwxrwxrwx. hoge hoge unconfined_u:object_r:user_home_t:s0 wild_server.key
Relabel this with the "restorecon" command.
[root@149_centos ssl.key]# restorecon wild_server.key
[root@149_centos ssl.key]#
[root@149_centos ssl.key]# ll -Z
-rwxrwxrwx. hoge hoge unconfined_u:object_r:httpd_config_t:s0 wild_server.key
As a result, it restarted normally with the "systemctl restart httpd.service" command, and SSL was established.
Recommended Posts