On Sun, Apr 23, 2023 at 6:53 PM Jeffrey Walton <noloader@xxxxxxxxx> wrote:
>
> On Sun, Apr 23, 2023 at 5:51 PM Patrick O'Callaghan
> <pocallaghan@xxxxxxxxx> wrote:
> >
> > On Mon, 2023-04-24 at 05:06 +0930, Tim via users wrote:
> > > On Sun, 2023-04-23 at 12:21 -0700, T.C. Hollingsworth wrote:
> > > > Webroot authentication is pretty simple, what trips most people up
> > > > is
> > > > it puts it in a dot directory /.well-known/acme-challenge/ and a
> > > > lot
> > > > of open source packages include Apache rules that block dotfiles
> > > > with
> > > > errors to hide these files so see if you have any rules like that
> > > > or
> > > > specifically whitelist that path.
> > >
> > > Access to files named like them is still allowed, they're just not
> > > shown in automatic directory listings in the browser.
> > >
> > > Specific files like .htaccess and .htpasswd ought to be blocked.
> >
> > I had a look at /var/log/httpd/error_log and found this:
> >
> > httpd: could not open error log file /var/www/bree.org.uk/error.log
> >
> > I rechecked and that file definitely exists and is writable by root
> > (which httpd runs as). However a suspicion arose and I decided to turn
> > off SElinux and reload.
> >
> > And it worked. Not only that, but certbot worked as well:
> >
> > # httpd -t -D DUMP_VHOSTS
> > VirtualHost configuration:
> > *:80 bree.org.uk (/etc/httpd/conf.d/bree.conf:1)
> > *:443 is a NameVirtualHost
> > default server bree.org.uk (/etc/httpd/conf.d/bree-le-ssl.conf:2)
> > port 443 namevhost bree.org.uk (/etc/httpd/conf.d/bree-le-ssl.conf:2)
> > port 443 namevhost bree.org.uk (/etc/httpd/conf.d/ssl.conf:56)
> >
> > I'm well aware that you had mentioned SElinux earlier, and I had
> > definitely done tests having turned it off, but clearly I missed
> > something.
> >
> > I may have caused the problem by changing ownership of some files to
> > apache:apache without considering their SElinux context. For the time
> > being I'm keeping setenforce=0 until I can figure this out (suggestions
> > are of course welcome).
> >
> > Effusive thanks to the multiple people who chipped in with ideas.
>
> I imagine Apache should work out-of-the-box with Fedora. I would be
> surprised if Fedora shipped a broken one.
>
> This is an unusual place:
>
> > httpd: could not open error log file
> > /var/www/bree.org.uk/error.log
>
> I don't think that will work.
>
> Move the log file to /var/log, relabel your filesystem, and then reboot:
>
> sudo fixfiles -B onboot
And to expand on this... Under SELinux, the log location needs a
httpd_log_t context:
# ls -AlZ /var/log/ | grep -i -E 'apache|nginx'
drwx--x--x. 2 root root system_u:object_r:httpd_log_t:s0
4096 Apr 10 20:00 nginx
Relabeling should fix it.
Jeff
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
