Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL Certificate on NGINX fails to load

Tags:

nginx

ssl

I am trying to install an SSL certificate that I obtained from Godaddy onto my NGINX server. I am positive I have all of the paths correct and from what I understand my server configuration is correct, but still I get the following error.

Feb 20 11:06:35 my.server.com nginx[6173]: nginx: [emerg] cannot load certificate "/etc/ssl/certs/certificate.crt": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/certs/certificate.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)
Feb 20 11:00:01 my.server.com nginx[5969]: nginx: configuration file /etc/nginx/nginx.conf test failed

Below is my SSL configuration. I have placed this into a file at the path /etc/nginx/conf.d/ssl.conf.

server {
    listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  my.server.com;
        root         /usr/share/nginx/html;

        ssl_certificate /etc/ssl/certs/certificate.crt;
        ssl_certificate_key /etc/ssl/private/private.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
               proxy_pass http://[MY_IP_ADDRESS]:8443;
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection 'upgrade';
               proxy_set_header Host $host;
               proxy_cache_bypass $http_upgrade;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
    }
}

This looks to be a permissions issue, but I have ran chown to change the permissions to the root user, and I have changed the file permission to 600 via chmod. Is this not correct? Can someone please give me some guidance on how to resolve this issue?

** UPDATE **

I did check and found that the SSL certs was not owned by the root user. I've modified all SSL files to be owned by the root owner and group, and changed the file permissions to 600 and I've tried 700. I get this output below when I run sudo ls -l

-rwx------. 1 root root 7072 Feb 20 10:41 my.server.com.chained.crt
-rwx------. 1 root root 2277 Feb 20 10:36 my.server.com.crt
-rwx------. 1 root root 4795 Feb 20 10:39 intermediate.crt

I am still getting the same error though. I've also tried both the normal cert and the full chain cert. Does anyone have an idea what is going on?

like image 491
miken.mkndev Avatar asked Feb 20 '20 11:02

miken.mkndev


1 Answers

I finally solved my issue. Turns out when I moved the files (mv) it changed the security context of the files, and thus made them unreadable to nginx. I resolved the issue by running the following command on my root nginx folder.

restorecon -v -R /etc/nginx

I found this from this post.

Thanks for all the help!

like image 59
miken.mkndev Avatar answered Nov 08 '22 15:11

miken.mkndev