On Sun, 2023-04-23 at 18:58 -0400, Jeffrey Walton wrote: > On Sun, Apr 23, 2023 at 6:53 PM Jeffrey Walton <noloader@xxxxxxxxx> > wrote: > > > > On Sun, Apr 23, 2023 at 5:51 PM Patrick O'Callaghan > > <pocallaghan@xxxxxxxxx> wrote: > > > > > > On Mon, 2023-04-24 at 05:06 +0930, Tim via users wrote: > > > > On Sun, 2023-04-23 at 12:21 -0700, T.C. Hollingsworth wrote: > > > > > Webroot authentication is pretty simple, what trips most > > > > > people up > > > > > is > > > > > it puts it in a dot directory /.well-known/acme-challenge/ > > > > > and a > > > > > lot > > > > > of open source packages include Apache rules that block > > > > > dotfiles > > > > > with > > > > > errors to hide these files so see if you have any rules like > > > > > that > > > > > or > > > > > specifically whitelist that path. > > > > > > > > Access to files named like them is still allowed, they're just > > > > not > > > > shown in automatic directory listings in the browser. > > > > > > > > Specific files like .htaccess and .htpasswd ought to be > > > > blocked. > > > > > > I had a look at /var/log/httpd/error_log and found this: > > > > > > httpd: could not open error log file > > > /var/www/bree.org.uk/error.log > > > > > > I rechecked and that file definitely exists and is writable by > > > root > > > (which httpd runs as). However a suspicion arose and I decided to > > > turn > > > off SElinux and reload. > > > > > > And it worked. Not only that, but certbot worked as well: > > > > > > # httpd -t -D DUMP_VHOSTS > > > VirtualHost configuration: > > > *:80 bree.org.uk > > > (/etc/httpd/conf.d/bree.conf:1) > > > *:443 is a NameVirtualHost > > > default server bree.org.uk (/etc/httpd/conf.d/bree-le- > > > ssl.conf:2) > > > port 443 namevhost bree.org.uk (/etc/httpd/conf.d/bree- > > > le-ssl.conf:2) > > > port 443 namevhost bree.org.uk > > > (/etc/httpd/conf.d/ssl.conf:56) > > > > > > I'm well aware that you had mentioned SElinux earlier, and I had > > > definitely done tests having turned it off, but clearly I missed > > > something. > > > > > > I may have caused the problem by changing ownership of some files > > > to > > > apache:apache without considering their SElinux context. For the > > > time > > > being I'm keeping setenforce=0 until I can figure this out > > > (suggestions > > > are of course welcome). > > > > > > Effusive thanks to the multiple people who chipped in with ideas. > > > > I imagine Apache should work out-of-the-box with Fedora. I would be > > surprised if Fedora shipped a broken one. > > > > This is an unusual place: > > > > > httpd: could not open error log file > > > /var/www/bree.org.uk/error.log > > > > I don't think that will work. > > > > Move the log file to /var/log, relabel your filesystem, and then > > reboot: > > > > sudo fixfiles -B onboot > > And to expand on this... Under SELinux, the log location needs a > httpd_log_t context: > > # ls -AlZ /var/log/ | grep -i -E 'apache|nginx' > drwx--x--x. 2 root root system_u:object_r:httpd_log_t:s0 > 4096 Apr 10 20:00 nginx > > Relabeling should fix it. I've done that (i.e. moved things back to the more usual /var/www and /var/log directories, and relabelled. Seems to work now. I had originally been following an online guide which gave the more complicated setup rather than the default. That'll teach me to run before I can walk. Thanks poc _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
