On Sun, Apr 23, 2023 at 6:53 PM Jeffrey Walton <noloader(a)gmail.com> wrote:
On Sun, Apr 23, 2023 at 5:51 PM Patrick O'Callaghan
<pocallaghan(a)gmail.com> wrote:
>
> On Mon, 2023-04-24 at 05:06 +0930, Tim via users wrote:
> > On Sun, 2023-04-23 at 12:21 -0700, T.C. Hollingsworth wrote:
> > > Webroot authentication is pretty simple, what trips most people up
> > > is
> > > it puts it in a dot directory /.well-known/acme-challenge/ and a
> > > lot
> > > of open source packages include Apache rules that block dotfiles
> > > with
> > > errors to hide these files so see if you have any rules like that
> > > or
> > > specifically whitelist that path.
> >
> > Access to files named like them is still allowed, they're just not
> > shown in automatic directory listings in the browser.
> >
> > Specific files like .htaccess and .htpasswd ought to be blocked.
>
> I had a look at /var/log/httpd/error_log and found this:
>
> httpd: could not open error log file /var/www/bree.org.uk/error.log
>
> I rechecked and that file definitely exists and is writable by root
> (which httpd runs as). However a suspicion arose and I decided to turn
> off SElinux and reload.
>
> And it worked. Not only that, but certbot worked as well:
>
> # httpd -t -D DUMP_VHOSTS
> VirtualHost configuration:
> *:80 bree.org.uk (/etc/httpd/conf.d/bree.conf:1)
> *:443 is a NameVirtualHost
> default server bree.org.uk (/etc/httpd/conf.d/bree-le-ssl.conf:2)
> port 443 namevhost bree.org.uk (/etc/httpd/conf.d/bree-le-ssl.conf:2)
> port 443 namevhost bree.org.uk (/etc/httpd/conf.d/ssl.conf:56)
>
> I'm well aware that you had mentioned SElinux earlier, and I had
> definitely done tests having turned it off, but clearly I missed
> something.
>
> I may have caused the problem by changing ownership of some files to
> apache:apache without considering their SElinux context. For the time
> being I'm keeping setenforce=0 until I can figure this out (suggestions
> are of course welcome).
>
> Effusive thanks to the multiple people who chipped in with ideas.
I imagine Apache should work out-of-the-box with Fedora. I would be
surprised if Fedora shipped a broken one.
This is an unusual place:
> httpd: could not open error log file
> /var/www/bree.org.uk/error.log
I don't think that will work.
Move the log file to /var/log, relabel your filesystem, and then reboot:
sudo fixfiles -B onboot
And to expand on this... Under SELinux, the log location needs a
httpd_log_t context:
# ls -AlZ /var/log/ | grep -i -E 'apache|nginx'
drwx--x--x. 2 root root system_u:object_r:httpd_log_t:s0
4096 Apr 10 20:00 nginx
Relabeling should fix it.
Jeff