[LINUX] When I try to make Apache SSL, it doesn't start.

1.First of all

When I set the SSL self-signed certificate in Apache, there was a clogged part, so I will leave it as a memorandum.

2. Creating a certificate

First, issue a certificate with the following command.

openssl ecparam -name prime256v1 -genkey -out server.key
openssl req -new -key server.key > server.csr
openssl ca -in server.csr -out server.crt

Move the created certificate and private key.

mv server.crt /etc/httpd/conf/ssl.crt/server.crt
mv server.key /etc/httpd/conf/ssl.key/server.key

3. Change settings

Specify the storage location of the certificate and private key.

vi /etc/httpd/conf.d/ssl.conf
--snip--
<VirtualHost *:443>
--snip--
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
--snip--

4. Restart Apache

An error occurs when restarting.

systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

Looking at journalctl -xe gives no information. .. .. Checking / var / log / httpd / error_log gives a Permission related error. Apparently SELINUX is bad.

/var/log/httpd/error_log


[Thu Apr 02 10:02:29.534751 2020] [ssl:emerg] [pid 19565] AH02312: Fatal error initialising mod_ssl, exiting.
[Thu Apr 02 10:02:33.453638 2020] [core:notice] [pid 19576] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Apr 02 10:02:33.455370 2020] [suexec:notice] [pid 19576] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Apr 02 10:02:33.455600 2020] [ssl:emerg] [pid 19576](13)Permission denied: AH02201: Init: Can't open server certificate file /etc/httpd/conf/ssl.crt/wild_server.crt

After investigating, it seems that SELinux's security policy does not give each file an appropriate label. You can check the label with the "ll -Z" command.

[[email protected]_centos ssl.key]# ll -Z
-rwxrwxrwx. hoge hoge unconfined_u:object_r:user_home_t:s0 wild_server.key

Relabel this with the "restorecon" command.

[[email protected]_centos ssl.key]# restorecon wild_server.key
[[email protected]_centos ssl.key]#
[[email protected]_centos ssl.key]# ll -Z
-rwxrwxrwx. hoge hoge unconfined_u:object_r:httpd_config_t:s0 wild_server.key

As a result, it restarted normally with the "systemctl restart httpd.service" command, and SSL was established.

Recommended Posts

When I try to make Apache SSL, it doesn't start.
When I try to push with heroku, it doesn't work
I started, but it doesn't start!
When I try to use pip, SSL module is not available.
When I try to go back using chainer, it fits a little
When I try matplotlib in Python, it says'cairo.Context'
I introduced black to vscode, but it doesn't autoformat
I tried to make the phone ring when it was posted at the IoT post
Try to make it using GUI and PyQt in Python
When I try to connect to MySQL with mysql-connector-python, I cannot connect with the error "SSL connection error: SSL_CTX_set_tmp_dh failed"
I wrote Django commands to make it easier to debug Celery tasks
A memorandum when I tried to get it automatically with selenium
What I did when I wanted to make Python faster -Numba edition-
When I tried to run Python, it was skipped to the Microsoft Store
I tried to make a calculator with Tkinter so I will write it
When I try to upgrade pip, I get an infinite loop after failing to upgrade
[Zaif] I tried to make it easy to trade virtual currencies with Python
I refactored "I tried to make Othello AI when programming beginners studied python"
Gorilla judgment machine, gorilla! !! Tried to make it!
Try to make a kernel of Jupyter
What I referred to when studying tkinter
How to enable SSL (TLS) in Apache
I want to make an automation program!
I tried to make a Web API
Try to make something like C # LINQ
When I tried to change the root password with ansible, I couldn't access it.
When I tried to create a virtual environment with Python, it didn't work
When I try to use Jupiter notebook on Mac, I can only select python2
I tried my best to make an optimization function, but it didn't work.
I referred to it when I got stuck in the django geodjango tutorial (editing)
I set up TensowFlow and was addicted to it, so make a note
When I try to divide with Bert Japanese Tokenizer of Hugging Face, it fails with initializing of MeCab or even with encode.