Re: Certbot error - SOLVED (?)
On Mon, 2023-04-24 at 10:44 -0700, Samuel Sieb wrote: > On 4/24/23 05:51, Tim via users wrote: > > That site's whole bit about sites-available and sites-enabled, with > > symlinking, is a rat's nest of directories that I've never > > encountered > > before. We already have an /etc/httpd/conf.d/ that can hold all > > extra > > config files. And you can easily create an extra conf.disabled > > directory, or rename them to not end in .conf, if you want to shift > > a > > config file and see how things work without it. > > That's the debian style apache config. You configure sites in one > directory and then they are activated by symlinking into the other > one. I assume the author took a Debian guide and made some adjustments for Fedora without thinking it through. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On Mon, 2023-04-24 at 12:27 -0400, Jeffrey Walton wrote: > > Why? Because being unfamiliar with Apache (and Certbot) I was > > foolishly > > following an online step-by-step guide: > > > > https://www.linuxshelltips.com/install-apache-fedora-linux/ > > > > I've since seen the error of my ways and it seems to be working > > now. > > Yeah, first try Fedora docs at docs.fedoraproject.org. They are > updated regularly. If you have a problem, then ask about it. > > > https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-apache-http-server/ > > Avoid off-site answers. Oftentimes it's just dev2dev answers, with > some dev posting what worked for him when following someone else's > article. Thanks. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On 4/24/23 05:51, Tim via users wrote: That site's whole bit about sites-available and sites-enabled, with symlinking, is a rat's nest of directories that I've never encountered before. We already have an /etc/httpd/conf.d/ that can hold all extra config files. And you can easily create an extra conf.disabled directory, or rename them to not end in .conf, if you want to shift a config file and see how things work without it. That's the debian style apache config. You configure sites in one directory and then they are activated by symlinking into the other one. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On Mon, Apr 24, 2023 at 5:14 AM Patrick O'Callaghan wrote: > > On Sun, 2023-04-23 at 14:56 -0700, Samuel Sieb wrote: > > On 4/23/23 14:50, Patrick O'Callaghan wrote: > > > I had a look at /var/log/httpd/error_log and found this: > > > > > > httpd: could not open error log file > > > /var/www/bree.org.uk/error.log > > > > > > I rechecked and that file definitely exists and is writable by root > > > (which httpd runs as). However a suspicion arose and I decided to > > > turn > > > off SElinux and reload. > > > > As someone else mentioned, why are you writing logs to the web server > > data directory? There's a directory (/var/log/httpd) that's already > > intended for that. The file context is most likely going to be > > wrong, > > which is why selinux is (rightly) blocking it. > > Why? Because being unfamiliar with Apache (and Certbot) I was foolishly > following an online step-by-step guide: > > https://www.linuxshelltips.com/install-apache-fedora-linux/ > > I've since seen the error of my ways and it seems to be working now. Yeah, first try Fedora docs at docs.fedoraproject.org. They are updated regularly. If you have a problem, then ask about it. https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-apache-http-server/ Avoid off-site answers. Oftentimes it's just dev2dev answers, with some dev posting what worked for him when following someone else's article. Jeff ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On Mon, 2023-04-24 at 22:21 +0930, Tim via users wrote: > Samuel Sieb: > > > As someone else mentioned, why are you writing logs to the web > > > server > > > data directory? There's a directory (/var/log/httpd) that's > > > already > > > intended for that. The file context is most likely going to be > > > wrong, which is why selinux is (rightly) blocking it. > > Patrick O'Callaghan: > > Why? Because being unfamiliar with Apache (and Certbot) I was > > foolishly > > following an online step-by-step guide: > > > > https://www.linuxshelltips.com/install-apache-fedora-linux/ > > > > I've since seen the error of my ways and it seems to be working > > now. > > I'm a bit surprised at that site's recommendations. It's quite > different from info I've read before, and how the default Apache > install on Fedora is set up. My guess is that they've followed some > other example, and then just put "Fedora" into the text in a few key > places. It's surprising it doesn't also say, first switch off > SELinux. > Yes, it's that most dangerous thing: *nearly* right. > [...] > The *default* site being what's served if you don't request a site by > a recognised hostname. But if you only have ONE site, it could be > the default one.) > That's probably related to Certbot wanting a virtual host. > Other examples suggest schemes like this: > > /var/www/html/ (the default site) > /var/www/now-to-eat-pizza/ (one of your virtual sites) > /var/www/exercising-your-pet-rock/ (another of your virtual sites) > > The whole /var/www/ is a bit odd, too. It's probably no more > variable > content than your own personal files. Other instructions advise > websites should be served from /srv/ > > There's all sorts of very different example suggestions, and some of > them are bad advice. I see that. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
Samuel Sieb: >> As someone else mentioned, why are you writing logs to the web server >> data directory? There's a directory (/var/log/httpd) that's already >> intended for that. The file context is most likely going to be >> wrong, which is why selinux is (rightly) blocking it. Patrick O'Callaghan: > Why? Because being unfamiliar with Apache (and Certbot) I was foolishly > following an online step-by-step guide: > > https://www.linuxshelltips.com/install-apache-fedora-linux/ > > I've since seen the error of my ways and it seems to be working now. I'm a bit surprised at that site's recommendations. It's quite different from info I've read before, and how the default Apache install on Fedora is set up. My guess is that they've followed some other example, and then just put "Fedora" into the text in a few key places. It's surprising it doesn't also say, first switch off SELinux. The SELinux contexts are applied to files created in certain expected places. I don't know whether SELinux has pre-existing rules for logs in more than one place. We generally expect logs somewhere under /var/log, though. Apache may require specific /httpd log/ contexts to be able to write to them. I've seen other wierd examples, where they've put the logs inside /etc/httpd/ or put symlinks to their real location inside there. Generally, the main Apache config is in /etc/httpd/conf/httpd.conf, and it will "include" any other .conf configuration files from /etc/httpd/conf.d/ for customisation (where you could put your virtual site configs, as well as any other add-ons). That site's whole bit about sites-available and sites-enabled, with symlinking, is a rat's nest of directories that I've never encountered before. We already have an /etc/httpd/conf.d/ that can hold all extra config files. And you can easily create an extra conf.disabled directory, or rename them to not end in .conf, if you want to shift a config file and see how things work without it. Looking at other examples, the default site is inside /var/www/html, and then they've suggested virtual hosted sites to go inside it as sub- directories, meaning the default site can lead incorrectly into the various virtual sites. That could lead to all sorts of bypassing of access controls. (The *default* site being what's served if you don't request a site by a recognised hostname. But if you only have ONE site, it could be the default one.) Other examples suggest schemes like this: /var/www/html/ (the default site) /var/www/now-to-eat-pizza/ (one of your virtual sites) /var/www/exercising-your-pet-rock/ (another of your virtual sites) The whole /var/www/ is a bit odd, too. It's probably no more variable content than your own personal files. Other instructions advise websites should be served from /srv/ There's all sorts of very different example suggestions, and some of them are bad advice. -- uname -rsvp Linux 3.10.0-1160.88.1.el7.x86_64 #1 SMP Tue Mar 7 15:41:52 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On Sun, 2023-04-23 at 14:56 -0700, Samuel Sieb wrote: > On 4/23/23 14:50, Patrick O'Callaghan wrote: > > I had a look at /var/log/httpd/error_log and found this: > > > > httpd: could not open error log file > > /var/www/bree.org.uk/error.log > > > > I rechecked and that file definitely exists and is writable by root > > (which httpd runs as). However a suspicion arose and I decided to > > turn > > off SElinux and reload. > > As someone else mentioned, why are you writing logs to the web server > data directory? There's a directory (/var/log/httpd) that's already > intended for that. The file context is most likely going to be > wrong, > which is why selinux is (rightly) blocking it. Why? Because being unfamiliar with Apache (and Certbot) I was foolishly following an online step-by-step guide: https://www.linuxshelltips.com/install-apache-fedora-linux/ I've since seen the error of my ways and it seems to be working now. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On Sun, 2023-04-23 at 15:29 -0700, Mike Wright wrote: > I don't understand how his logs are accessible to the web. They are not > under the DocumentRoot. error.log is above it and access.log is next to > it. Is it somehow possible for a client to reach above / ? Normally, they aren't. But Patrick's were inside it. It may have been possible for them to be publicly seen. Remember file contexts are created on the file path, by creating a file in the doc root structure, they'd be given public serveable SELinux contexts. And, after switching off SELinux, it was even more likely they could be. > If so, let me know how. I like to package my VirtualHosts so everything > is in one zippable, portable package. If my stuff is in the wind I'll > need to make some changes. > > path/to/domain/DocRoot > path/to/domain/conf > path/to/domain/acc (link to /var/log/httpd/domain/access.log) > path/to/domain/err (link to /var/log/httpd/domain/error.log) That'd work, too. -- uname -rsvp Linux 3.10.0-1160.88.1.el7.x86_64 #1 SMP Tue Mar 7 15:41:52 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
Chris Adams wrote: > Once upon a time, Mike Wright said: >> I don't understand how his logs are accessible to the web. They are >> not under the DocumentRoot. error.log is above it and access.log is >> next to it. Is it somehow possible for a client to reach above / ? > > I didn't look at the posted configs (I haven't run Apache in ages, > switched to nginx), so I didn't know the DocumentRoot. I just saw the > directory path as /var/www/, which I've seen lots of people use > as their DocumentRoot. It looked odd to me as well. Apparently, the SELinux policy tries to help with such a configuration (though it wouldn't match Patrick's). Checking the labeling via `semanage fcontext -l` the following patterns are in place (among many others for /var/www/*): SELinux fcontexttypeContext === /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www(/.*)?/logs(/.*)? all files system_u:object_r:httpd_log_t:s0 Neither of these would match the log files in the configuration posted earlier: ServerName bree.org.uk ServerAdmin pocallag...@gmail.com DocumentRoot /var/www/bree.org.uk/html ErrorLog /var/www/bree.org.uk/error.log CustomLog /var/www/bree.org.uk/log/access.log combined So while the logs wouldn't be served up by httpd as part of the document root, they would both be denied by SELinux AFAICT. Putting them both under /var/www/bree.org.uk/logs/ would help in that respect; though personally I'd put them under /var/log/httpd unless I were running a web hosting service or something¹. ¹ and if I'm ever running a web hosting service, I have likely lost my mind and should be ignored (more so than I am now, if that's possible). -- Todd signature.asc Description: PGP signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
Once upon a time, Mike Wright said: > I don't understand how his logs are accessible to the web. They are > not under the DocumentRoot. error.log is above it and access.log is > next to it. Is it somehow possible for a client to reach above / ? I didn't look at the posted configs (I haven't run Apache in ages, switched to nginx), so I didn't know the DocumentRoot. I just saw the directory path as /var/www/, which I've seen lots of people use as their DocumentRoot. -- Chris Adams ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On Sun, 2023-04-23 at 18:58 -0400, Jeffrey Walton wrote: > On Sun, Apr 23, 2023 at 6:53 PM Jeffrey Walton > wrote: > > > > On Sun, Apr 23, 2023 at 5:51 PM Patrick O'Callaghan > > wrote: > > > > > > On Mon, 2023-04-24 at 05:06 +0930, Tim via users wrote: > > > > On Sun, 2023-04-23 at 12:21 -0700, T.C. Hollingsworth wrote: > > > > > Webroot authentication is pretty simple, what trips most > > > > > people up > > > > > is > > > > > it puts it in a dot directory /.well-known/acme-challenge/ > > > > > and a > > > > > lot > > > > > of open source packages include Apache rules that block > > > > > dotfiles > > > > > with > > > > > errors to hide these files so see if you have any rules like > > > > > that > > > > > or > > > > > specifically whitelist that path. > > > > > > > > Access to files named like them is still allowed, they're just > > > > not > > > > shown in automatic directory listings in the browser. > > > > > > > > Specific files like .htaccess and .htpasswd ought to be > > > > blocked. > > > > > > I had a look at /var/log/httpd/error_log and found this: > > > > > > httpd: could not open error log file > > > /var/www/bree.org.uk/error.log > > > > > > I rechecked and that file definitely exists and is writable by > > > root > > > (which httpd runs as). However a suspicion arose and I decided to > > > turn > > > off SElinux and reload. > > > > > > And it worked. Not only that, but certbot worked as well: > > > > > > # httpd -t -D DUMP_VHOSTS > > > VirtualHost configuration: > > > *:80 bree.org.uk > > > (/etc/httpd/conf.d/bree.conf:1) > > > *:443 is a NameVirtualHost > > > default server bree.org.uk (/etc/httpd/conf.d/bree-le- > > > ssl.conf:2) > > > port 443 namevhost bree.org.uk (/etc/httpd/conf.d/bree- > > > le-ssl.conf:2) > > > port 443 namevhost bree.org.uk > > > (/etc/httpd/conf.d/ssl.conf:56) > > > > > > I'm well aware that you had mentioned SElinux earlier, and I had > > > definitely done tests having turned it off, but clearly I missed > > > something. > > > > > > I may have caused the problem by changing ownership of some files > > > to > > > apache:apache without considering their SElinux context. For the > > > time > > > being I'm keeping setenforce=0 until I can figure this out > > > (suggestions > > > are of course welcome). > > > > > > Effusive thanks to the multiple people who chipped in with ideas. > > > > I imagine Apache should work out-of-the-box with Fedora. I would be > > surprised if Fedora shipped a broken one. > > > > This is an unusual place: > > > > > httpd: could not open error log file > > > /var/www/bree.org.uk/error.log > > > > I don't think that will work. > > > > Move the log file to /var/log, relabel your filesystem, and then > > reboot: > > > > sudo fixfiles -B onboot > > And to expand on this... Under SELinux, the log location needs a > httpd_log_t context: > > # ls -AlZ /var/log/ | grep -i -E 'apache|nginx' > drwx--x--x. 2 root root system_u:object_r:httpd_log_t:s0 > 4096 Apr 10 20:00 nginx > > Relabeling should fix it. I've done that (i.e. moved things back to the more usual /var/www and /var/log directories, and relabelled. Seems to work now. I had originally been following an online guide which gave the more complicated setup rather than the default. That'll teach me to run before I can walk. Thanks poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On Sun, Apr 23, 2023 at 6:53 PM Jeffrey Walton wrote: > > On Sun, Apr 23, 2023 at 5:51 PM Patrick O'Callaghan > wrote: > > > > On Mon, 2023-04-24 at 05:06 +0930, Tim via users wrote: > > > On Sun, 2023-04-23 at 12:21 -0700, T.C. Hollingsworth wrote: > > > > Webroot authentication is pretty simple, what trips most people up > > > > is > > > > it puts it in a dot directory /.well-known/acme-challenge/ and a > > > > lot > > > > of open source packages include Apache rules that block dotfiles > > > > with > > > > errors to hide these files so see if you have any rules like that > > > > or > > > > specifically whitelist that path. > > > > > > Access to files named like them is still allowed, they're just not > > > shown in automatic directory listings in the browser. > > > > > > Specific files like .htaccess and .htpasswd ought to be blocked. > > > > I had a look at /var/log/httpd/error_log and found this: > > > > httpd: could not open error log file /var/www/bree.org.uk/error.log > > > > I rechecked and that file definitely exists and is writable by root > > (which httpd runs as). However a suspicion arose and I decided to turn > > off SElinux and reload. > > > > And it worked. Not only that, but certbot worked as well: > > > > # httpd -t -D DUMP_VHOSTS > > VirtualHost configuration: > > *:80 bree.org.uk (/etc/httpd/conf.d/bree.conf:1) > > *:443 is a NameVirtualHost > > default server bree.org.uk (/etc/httpd/conf.d/bree-le-ssl.conf:2) > > port 443 namevhost bree.org.uk > > (/etc/httpd/conf.d/bree-le-ssl.conf:2) > > port 443 namevhost bree.org.uk (/etc/httpd/conf.d/ssl.conf:56) > > > > I'm well aware that you had mentioned SElinux earlier, and I had > > definitely done tests having turned it off, but clearly I missed > > something. > > > > I may have caused the problem by changing ownership of some files to > > apache:apache without considering their SElinux context. For the time > > being I'm keeping setenforce=0 until I can figure this out (suggestions > > are of course welcome). > > > > Effusive thanks to the multiple people who chipped in with ideas. > > I imagine Apache should work out-of-the-box with Fedora. I would be > surprised if Fedora shipped a broken one. > > This is an unusual place: > > > httpd: could not open error log file > > /var/www/bree.org.uk/error.log > > I don't think that will work. > > Move the log file to /var/log, relabel your filesystem, and then reboot: > >sudo fixfiles -B onboot And to expand on this... Under SELinux, the log location needs a httpd_log_t context: # ls -AlZ /var/log/ | grep -i -E 'apache|nginx' drwx--x--x. 2 root rootsystem_u:object_r:httpd_log_t:s0 4096 Apr 10 20:00 nginx Relabeling should fix it. Jeff ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On Sun, Apr 23, 2023 at 5:51 PM Patrick O'Callaghan wrote: > > On Mon, 2023-04-24 at 05:06 +0930, Tim via users wrote: > > On Sun, 2023-04-23 at 12:21 -0700, T.C. Hollingsworth wrote: > > > Webroot authentication is pretty simple, what trips most people up > > > is > > > it puts it in a dot directory /.well-known/acme-challenge/ and a > > > lot > > > of open source packages include Apache rules that block dotfiles > > > with > > > errors to hide these files so see if you have any rules like that > > > or > > > specifically whitelist that path. > > > > Access to files named like them is still allowed, they're just not > > shown in automatic directory listings in the browser. > > > > Specific files like .htaccess and .htpasswd ought to be blocked. > > I had a look at /var/log/httpd/error_log and found this: > > httpd: could not open error log file /var/www/bree.org.uk/error.log > > I rechecked and that file definitely exists and is writable by root > (which httpd runs as). However a suspicion arose and I decided to turn > off SElinux and reload. > > And it worked. Not only that, but certbot worked as well: > > # httpd -t -D DUMP_VHOSTS > VirtualHost configuration: > *:80 bree.org.uk (/etc/httpd/conf.d/bree.conf:1) > *:443 is a NameVirtualHost > default server bree.org.uk (/etc/httpd/conf.d/bree-le-ssl.conf:2) > port 443 namevhost bree.org.uk (/etc/httpd/conf.d/bree-le-ssl.conf:2) > port 443 namevhost bree.org.uk (/etc/httpd/conf.d/ssl.conf:56) > > I'm well aware that you had mentioned SElinux earlier, and I had > definitely done tests having turned it off, but clearly I missed > something. > > I may have caused the problem by changing ownership of some files to > apache:apache without considering their SElinux context. For the time > being I'm keeping setenforce=0 until I can figure this out (suggestions > are of course welcome). > > Effusive thanks to the multiple people who chipped in with ideas. I imagine Apache should work out-of-the-box with Fedora. I would be surprised if Fedora shipped a broken one. This is an unusual place: > httpd: could not open error log file > /var/www/bree.org.uk/error.log I don't think that will work. Move the log file to /var/log, relabel your filesystem, and then reboot: sudo fixfiles -B onboot Jeff ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On 4/23/23 15:08, Chris Adams wrote: Once upon a time, Patrick O'Callaghan said: httpd: could not open error log file /var/www/bree.org.uk/error.log Putting the log under /var/www is very bad practice, as that could be remotely accessible now (and share all kinds of useful information to attackers). Rather than do that, and disable SELinux protections, you should put your logs under the log directory, /var/log. If you don't like the default permissions on /var/log/httpd, you can make another directory, but still under /var/log (and not accessible over the web). Chris and others earlier, I don't understand how his logs are accessible to the web. They are not under the DocumentRoot. error.log is above it and access.log is next to it. Is it somehow possible for a client to reach above / ? If so, let me know how. I like to package my VirtualHosts so everything is in one zippable, portable package. If my stuff is in the wind I'll need to make some changes. path/to/domain/DocRoot path/to/domain/conf path/to/domain/acc (link to /var/log/httpd/domain/access.log) path/to/domain/err (link to /var/log/httpd/domain/error.log) Thanks in advance, Mike ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
Once upon a time, Patrick O'Callaghan said: > httpd: could not open error log file /var/www/bree.org.uk/error.log Putting the log under /var/www is very bad practice, as that could be remotely accessible now (and share all kinds of useful information to attackers). Rather than do that, and disable SELinux protections, you should put your logs under the log directory, /var/log. If you don't like the default permissions on /var/log/httpd, you can make another directory, but still under /var/log (and not accessible over the web). -- Chris Adams ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On 4/23/23 14:50, Patrick O'Callaghan wrote: I had a look at /var/log/httpd/error_log and found this: httpd: could not open error log file /var/www/bree.org.uk/error.log I rechecked and that file definitely exists and is writable by root (which httpd runs as). However a suspicion arose and I decided to turn off SElinux and reload. As someone else mentioned, why are you writing logs to the web server data directory? There's a directory (/var/log/httpd) that's already intended for that. The file context is most likely going to be wrong, which is why selinux is (rightly) blocking it. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Certbot error - SOLVED (?)
On Mon, 2023-04-24 at 05:06 +0930, Tim via users wrote: > On Sun, 2023-04-23 at 12:21 -0700, T.C. Hollingsworth wrote: > > Webroot authentication is pretty simple, what trips most people up > > is > > it puts it in a dot directory /.well-known/acme-challenge/ and a > > lot > > of open source packages include Apache rules that block dotfiles > > with > > errors to hide these files so see if you have any rules like that > > or > > specifically whitelist that path. > > Access to files named like them is still allowed, they're just not > shown in automatic directory listings in the browser. > > Specific files like .htaccess and .htpasswd ought to be blocked. I had a look at /var/log/httpd/error_log and found this: httpd: could not open error log file /var/www/bree.org.uk/error.log I rechecked and that file definitely exists and is writable by root (which httpd runs as). However a suspicion arose and I decided to turn off SElinux and reload. And it worked. Not only that, but certbot worked as well: # httpd -t -D DUMP_VHOSTS VirtualHost configuration: *:80 bree.org.uk (/etc/httpd/conf.d/bree.conf:1) *:443 is a NameVirtualHost default server bree.org.uk (/etc/httpd/conf.d/bree-le-ssl.conf:2) port 443 namevhost bree.org.uk (/etc/httpd/conf.d/bree-le-ssl.conf:2) port 443 namevhost bree.org.uk (/etc/httpd/conf.d/ssl.conf:56) I'm well aware that you had mentioned SElinux earlier, and I had definitely done tests having turned it off, but clearly I missed something. I may have caused the problem by changing ownership of some files to apache:apache without considering their SElinux context. For the time being I'm keeping setenforce=0 until I can figure this out (suggestions are of course welcome). Effusive thanks to the multiple people who chipped in with ideas. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
