The blogger today plans to configure a multi-certificate Apache so that multiple domain names can be accessed via https://***. According to the online tutorial, just add multiple < VirtualHost *:443> You can do that. But restarting HTTPD always prompts:
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Journalctl-xe examines with the command:
systemd[1]: Unit httpd.service entered failed state.
systemd[1]: httpd.service failed.
polkitd[475]: Registered Authentication Agent for unix-process:7076:2357584 (system bus name :1.219 [/usr/bin/pkttyagent -.....
It’s hard to see what’s wrong (at this point the blogger doesn’t know that HTTPD has an error_log, face-covering)
After a long time, I finally opened /var/log/ HTTPD /error_log
AH02312: Fatal error initialising mod_ssl, exiting.
SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
Permission denied: AH02201: Init: Can't open server certificate file
When the blogger saw this error message, he immediately understood that it was SELinux!! A lot of potholes on the SELinux before. So the first thing that comes to mind is that the SSL certificate file, the private key file, is not in the right context. Turning SELinux off directly would certainly solve the problem. But this is just a once-and-for-all approach that will cause more problems.
The solution
Three files are required to configure SSL:
2_domain.com.crt
3_domain.com.key
1_root_bundle.crt
Let’s say they’re all under /usr/local/apache/conf/
cd /usr/local/apache/conf/
Displays the current context of each file
ll -Z
Change context
chcon -u system_u -r object_r -t cert_t 1_root_bundle.crt
chcon -u system_u -r object_r -t cert_t 2_domain.com.crt
chcon -u system_u -r object_r -t cert_t 3_domain.com.key
The context configuration is not unique. If this setting doesn’t work, try something else.