SELinux is preventing /usr/sbin/httpd from getattr access after switching to self signed cert

doapydave asked:

I recently created my own CA and issued my first root cert, then intermediate, then finally a server cert/key/chain for apache.

When i switch from the letsencrypt certs added with certbot to the self generated certs, apache fails to start with:

Dec 20 07:52:07 test setroubleshoot[4859]: SELinux is preventing
/usr/sbin/httpd from getattr access on the file

I’m wondering if maybe its some of the letsencrypt defaults causing me headaches or is it simply that the certs dont trace back to a registered CA?

I’ve read that i could disable SELinux but I think it would be better to find a solution that allowed me to leave SELinux alone.

Thanks for any pointers.

My answer:

SELinux does not allow Apache to access anything in the /root directory, full stop. It doesn’t matter if it’s certificates, web site static files, or anything else.

To solve the problem, copy the certificate files into appropriate directories under /etc/pki/tls.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.