In this blog post, we will discuss how to resolve an SSL certificate loading issue on an NGINX server. The issue occurs when trying to install an SSL certificate obtained from GoDaddy, resulting in the following error:
Feb 20 11:06:35 my.server.com nginx[6173] : nginx: [emerg]
cannot load certificate "/etc/ssl/certs/certificate.crt": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/certs/certificate.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)
Feb 20 11:00:01 my.server.com nginx[5969] : nginx: configuration file /etc/nginx/nginx.conf test failed
Understanding the Issue
This error appears to be a permissions issue, although the paths and server configuration seem to be correct. After changing the permissions to the root user and modifying the file permission to 600 using chmod, the issue still persists. To resolve this issue, we will investigate the server’s SSL configuration and the steps that were taken.
SSL Configuration
The SSL configuration is located in a file at the path /etc/nginx/conf.d/ssl.conf. The configuration file includes details about the SSL certificate and key paths, as well as other settings related to the server:
server {
...
ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;
...
}
Checking the Permissions
First, ensure that the SSL certificate files are owned by the root user and group. The file permissions should be set to either 600 or 700. You can check the permissions using the sudo ls -l command:
-rwx------. 1 root root 7072 Feb 20 10:41 my.server.com.chained.crt -rwx------. 1 root root 2277 Feb 20 10:36 my.server.com.crt -rwx------. 1 root root 4795 Feb 20 10:39 intermediate.crt
Despite these changes, the error may still persist. So, what could be the cause?
The Solution: SELinux and Security Context
The issue could be related to SELinux and the security context of the files. When the SSL certificate files were moved (using mv), their security context changed, making them unreadable by NGINX. To resolve this issue, run the following command on the root NGINX folder:
restorecon -v -R /etc/nginx
This command restores the security context of the files, allowing NGINX to read them correctly and load the SSL certificate without any errors.
Conclusion
When encountering SSL certificate loading issues on an NGINX server, it’s essential to check the permissions and security context of the files involved. If SELinux is enabled, restoring the security context of the files using the restorecon command can resolve the issue. By following these steps, you can successfully install and load an SSL certificate on your NGINX server and ensure secure connections for your users.
Always remember to double-check your configurations and be prepared to investigate potential causes when encountering issues like this.
