SELinux is preventing /usr/sbin/httpd from getattr access after switching to self signed cert

doapydave asked:

I recently created my own CA and issued my first root cert, then intermediate, then finally a server cert/key/chain for apache.

When i switch from the letsencrypt certs added with certbot to the self generated certs, apache fails to start with:

Dec 20 07:52:07 test setroubleshoot[4859]: SELinux is preventing
/usr/sbin/httpd from getattr access on the file
/root/ca/intermediate/certs/www.inthingslimited.com

I’m wondering if maybe its some of the letsencrypt defaults causing me headaches or is it simply that the certs dont trace back to a registered CA?

I’ve read that i could disable SELinux but I think it would be better to find a solution that allowed me to leave SELinux alone.

Thanks for any pointers.

My answer:


SELinux does not allow Apache to access anything in the /root directory, full stop. It doesn’t matter if it’s certificates, web site static files, or anything else.

To solve the problem, copy the certificate files into appropriate directories under /etc/pki/tls.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.