When I set the SSL self-signed certificate in Apache, there was a clogged part, so I will leave it as a memorandum.
First, issue a certificate with the following command.
openssl ecparam -name prime256v1 -genkey -out server.key openssl req -new -key server.key > server.csr openssl ca -in server.csr -out server.crt
Move the created certificate and private key.
mv server.crt /etc/httpd/conf/ssl.crt/server.crt mv server.key /etc/httpd/conf/ssl.key/server.key
Specify the storage location of the certificate and private key.
vi /etc/httpd/conf.d/ssl.conf --snip-- <VirtualHost *:443> --snip-- # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key --snip--
An error occurs when restarting.
systemctl restart httpd.service Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Looking at journalctl -xe gives no information. .. .. Checking / var / log / httpd / error_log gives a Permission related error. Apparently SELINUX is bad.
[Thu Apr 02 10:02:29.534751 2020] [ssl:emerg] [pid 19565] AH02312: Fatal error initialising mod_ssl, exiting. [Thu Apr 02 10:02:33.453638 2020] [core:notice] [pid 19576] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Thu Apr 02 10:02:33.455370 2020] [suexec:notice] [pid 19576] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Apr 02 10:02:33.455600 2020] [ssl:emerg] [pid 19576](13)Permission denied: AH02201: Init: Can't open server certificate file /etc/httpd/conf/ssl.crt/wild_server.crt
After investigating, it seems that SELinux's security policy does not give each file an appropriate label. You can check the label with the "ll -Z" command.
[[email protected]_centos ssl.key]# ll -Z -rwxrwxrwx. hoge hoge unconfined_u:object_r:user_home_t:s0 wild_server.key
Relabel this with the "restorecon" command.
[[email protected]_centos ssl.key]# restorecon wild_server.key [[email protected]_centos ssl.key]# [[email protected]_centos ssl.key]# ll -Z -rwxrwxrwx. hoge hoge unconfined_u:object_r:httpd_config_t:s0 wild_server.key
As a result, it restarted normally with the "systemctl restart httpd.service" command, and SSL was established.