You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Marcus Christie (JIRA)" <ji...@apache.org> on 2018/01/09 20:28:00 UTC
[jira] [Commented] (AIRAVATA-2627) Letsencrypt auto renewal is
preventing Apache from restarting
[ https://issues.apache.org/jira/browse/AIRAVATA-2627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16319089#comment-16319089 ]
Marcus Christie commented on AIRAVATA-2627:
-------------------------------------------
Links:
* https://bugzilla.redhat.com/show_bug.cgi?id=1385167 - SELinux issue?
** looks like there is a systemd service already that can handle renewals
{noformat}
systemctl enable certbot-renew
systemctl start certbot-renew
{noformat}
In audit.log I see the following related errors:
{noformat}
type=AVC msg=audit(1515520321.754:4332981): avc: denied { write } for pid=11706 comm="httpd" path="/etc/letsencrypt/.certbot.lock" dev="dm-1" ino=135751474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass
=file
type=AVC msg=audit(1515520321.754:4332981): avc: denied { write } for pid=11706 comm="httpd" path="/var/log/letsencrypt/.certbot.lock" dev="dm-1" ino=201415739 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_log_t:
s0 tclass=file
type=AVC msg=audit(1515520321.754:4332981): avc: denied { write } for pid=11706 comm="httpd" path="/var/lib/letsencrypt/.certbot.lock" dev="dm-1" ino=1621696 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_
t:s0 tclass=file
type=SYSCALL msg=audit(1515520321.754:4332981): arch=c000003e syscall=59 success=yes exit=0 a0=19ca730 a1=19c70a0 a2=19c74e0 a3=7ffd585d5980 items=0 ppid=11704 pid=11706 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(n
one) ses=34125 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1515520321.780:4332982): avc: denied { write } for pid=11709 comm="httpd" path="/etc/letsencrypt/.certbot.lock" dev="dm-1" ino=135751474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass
=file
type=AVC msg=audit(1515520321.780:4332982): avc: denied { write } for pid=11709 comm="httpd" path="/var/log/letsencrypt/.certbot.lock" dev="dm-1" ino=201415739 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_log_t:
s0 tclass=file
type=AVC msg=audit(1515520321.780:4332982): avc: denied { write } for pid=11709 comm="httpd" path="/var/lib/letsencrypt/.certbot.lock" dev="dm-1" ino=1621696 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_
t:s0 tclass=file
type=SYSCALL msg=audit(1515520321.780:4332982): arch=c000003e syscall=59 success=yes exit=0 a0=16699e0 a1=16655e0 a2=16665c0 a3=7ffd0235c430 items=0 ppid=11707 pid=11709 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(n
one) ses=34125 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1515520323.121:4332983): avc: denied { getattr } for pid=11725 comm="httpd" path="/var/lib/letsencrypt/YDnHNU3oKDOaT_oO2qXSoXR65gUb7k66KB0dF4nwT-8.crt" dev="dm-1" ino=1621710 scontext=system_u:system_r:httpd_t:s0 tcon
text=system_u:object_r:cron_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1515520323.121:4332983): arch=c000003e syscall=4 success=no exit=-13 a0=7fc3a80a7ca0 a1=7ffe1122de30 a2=7ffe1122de30 a3=3652586f53587132 items=0 ppid=1 pid=11725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid
=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1515520323.405:4332984): avc: denied { write } for pid=11744 comm="httpd" path="/etc/letsencrypt/.certbot.lock" dev="dm-1" ino=135751474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass
=file
type=AVC msg=audit(1515520323.405:4332984): avc: denied { write } for pid=11744 comm="httpd" path="/var/log/letsencrypt/.certbot.lock" dev="dm-1" ino=201415739 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_log_t:
s0 tclass=file
type=AVC msg=audit(1515520323.405:4332984): avc: denied { write } for pid=11744 comm="httpd" path="/var/lib/letsencrypt/.certbot.lock" dev="dm-1" ino=1621696 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_
t:s0 tclass=file
type=AVC msg=audit(1515520323.405:4332984): avc: denied { write } for pid=11744 comm="httpd" path="/etc/httpd/.certbot.lock" dev="dm-1" ino=70498394 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file
type=SYSCALL msg=audit(1515520323.405:4332984): arch=c000003e syscall=59 success=yes exit=0 a0=1f97730 a1=1f940a0 a2=1f944e0 a3=7ffd85f275b0 items=0 ppid=11742 pid=11744 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=34125 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1515520323.430:4332985): avc: denied { write } for pid=11747 comm="httpd" path="/etc/letsencrypt/.certbot.lock" dev="dm-1" ino=135751474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1515520323.430:4332985): avc: denied { write } for pid=11747 comm="httpd" path="/var/log/letsencrypt/.certbot.lock" dev="dm-1" ino=201415739 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
type=AVC msg=audit(1515520323.430:4332985): avc: denied { write } for pid=11747 comm="httpd" path="/var/lib/letsencrypt/.certbot.lock" dev="dm-1" ino=1621696 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
type=AVC msg=audit(1515520323.430:4332985): avc: denied { write } for pid=11747 comm="httpd" path="/etc/httpd/.certbot.lock" dev="dm-1" ino=70498394 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file
type=SYSCALL msg=audit(1515520323.430:4332985): arch=c000003e syscall=59 success=yes exit=0 a0=b5c9e0 a1=b585e0 a2=b595c0 a3=7ffea5aa7400 items=0 ppid=11745 pid=11747 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=34125 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1515520325.307:4332986): avc: denied { getattr } for pid=11757 comm="httpd" path="/var/lib/letsencrypt/9qLZfLerTerU_bGLYPfXWXq-EXktXgYfNQAEQcdHSpE.crt" dev="dm-1" ino=1621697 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1515520325.307:4332986): arch=c000003e syscall=4 success=no exit=-13 a0=7fbd95fe9ca0 a1=7ffcb16c7340 a2=7ffcb16c7340 a3=2d71585758665059 items=0 ppid=1 pid=11757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1515520325.560:4332987): avc: denied { write } for pid=11776 comm="httpd" path="/etc/letsencrypt/.certbot.lock" dev="dm-1" ino=135751474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1515520325.560:4332987): avc: denied { write } for pid=11776 comm="httpd" path="/var/log/letsencrypt/.certbot.lock" dev="dm-1" ino=201415739 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
type=AVC msg=audit(1515520325.560:4332987): avc: denied { write } for pid=11776 comm="httpd" path="/var/lib/letsencrypt/.certbot.lock" dev="dm-1" ino=1621696 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
type=AVC msg=audit(1515520325.560:4332987): avc: denied { write } for pid=11776 comm="httpd" path="/etc/httpd/.certbot.lock" dev="dm-1" ino=70498394 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file
type=SYSCALL msg=audit(1515520325.560:4332987): arch=c000003e syscall=59 success=yes exit=0 a0=12d5730 a1=12d20a0 a2=12d24e0 a3=7fff91f1d540 items=0 ppid=11774 pid=11776 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=34125 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1515520325.584:4332988): avc: denied { write } for pid=11779 comm="httpd" path="/etc/letsencrypt/.certbot.lock" dev="dm-1" ino=135751474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1515520325.584:4332988): avc: denied { write } for pid=11779 comm="httpd" path="/var/log/letsencrypt/.certbot.lock" dev="dm-1" ino=201415739 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
type=AVC msg=audit(1515520325.584:4332988): avc: denied { write } for pid=11779 comm="httpd" path="/var/lib/letsencrypt/.certbot.lock" dev="dm-1" ino=1621696 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
type=AVC msg=audit(1515520325.584:4332988): avc: denied { write } for pid=11779 comm="httpd" path="/etc/httpd/.certbot.lock" dev="dm-1" ino=70498394 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file
type=SYSCALL msg=audit(1515520325.584:4332988): arch=c000003e syscall=59 success=yes exit=0 a0=24ea9e0 a1=24e65e0 a2=24e75c0 a3=7ffdbacb4470 items=0 ppid=11777 pid=11779 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=34125 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1515520327.735:4332989): avc: denied { getattr } for pid=11796 comm="httpd" path="/var/lib/letsencrypt/I69cuV1431Lfk88VjtDFxlBPEnagdg5atz9dhGhsxfY.crt" dev="dm-1" ino=1621697 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
...
{noformat}
> Letsencrypt auto renewal is preventing Apache from restarting
> -------------------------------------------------------------
>
> Key: AIRAVATA-2627
> URL: https://issues.apache.org/jira/browse/AIRAVATA-2627
> Project: Airavata
> Issue Type: Bug
> Components: PGA PHP Web Gateway
> Reporter: Marcus Christie
> Assignee: Marcus Christie
>
> The {{certbot renew --quiet}} command in the crontab is apparently causing Apache to fail to reload:
> From the systemd journal ({{journalctl -xe}}):
> {noformat}
> -- Unit session-34124.scope has begun starting up.
> Jan 09 12:50:01 gridfarm004.ucs.indiana.edu CROND[11610]: (root) CMD (/usr/lib64/sa/sa1 1 1)
> Jan 09 12:52:01 gridfarm004.ucs.indiana.edu systemd[1]: Started Session 34125 of user root.
> -- Subject: Unit session-34125.scope has finished start-up
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit session-34125.scope has finished starting up.
> --
> -- The start-up result is done.
> Jan 09 12:52:01 gridfarm004.ucs.indiana.edu systemd[1]: Starting Session 34125 of user root.
> -- Subject: Unit session-34125.scope has begun start-up
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit session-34125.scope has begun starting up.
> Jan 09 12:52:01 gridfarm004.ucs.indiana.edu CROND[11692]: (root) CMD (/usr/bin/certbot renew --quiet)
> Jan 09 12:52:03 gridfarm004.ucs.indiana.edu httpd[11725]: AH00112: Warning: DocumentRoot [/www/default] does not exist
> Jan 09 12:52:03 gridfarm004.ucs.indiana.edu httpd[11725]: AH00526: Syntax error on line 10 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
> Jan 09 12:52:03 gridfarm004.ucs.indiana.edu httpd[11725]: SSLCertificateFile: file '/var/lib/letsencrypt/YDnHNU3oKDOaT_oO2qXSoXR65gUb7k66KB0dF4nwT-8.crt' does not exist or is empty
> Jan 09 12:52:03 gridfarm004.ucs.indiana.edu systemd[1]: httpd.service: control process exited, code=exited status=1
> Jan 09 12:52:03 gridfarm004.ucs.indiana.edu systemd[1]: Reload failed for The Apache HTTP Server.
> -- Subject: Unit httpd.service has finished reloading its configuration
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit httpd.service has finished reloading its configuration
> --
> -- The result is failed.
> Jan 09 12:52:03 gridfarm004.ucs.indiana.edu httpd[11735]: AH00112: Warning: DocumentRoot [/www/default] does not exist
> Jan 09 12:52:03 gridfarm004.ucs.indiana.edu systemd[1]: Reloaded The Apache HTTP Server.
> -- Subject: Unit httpd.service has finished reloading its configuration
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit httpd.service has finished reloading its configuration
> --
> -- The result is done.
> Jan 09 12:52:05 gridfarm004.ucs.indiana.edu httpd[11757]: AH00112: Warning: DocumentRoot [/www/default] does not exist
> Jan 09 12:52:05 gridfarm004.ucs.indiana.edu httpd[11757]: AH00526: Syntax error on line 10 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
> Jan 09 12:52:05 gridfarm004.ucs.indiana.edu httpd[11757]: SSLCertificateFile: file '/var/lib/letsencrypt/9qLZfLerTerU_bGLYPfXWXq-EXktXgYfNQAEQcdHSpE.crt' does not exist or is empty
> Jan 09 12:52:05 gridfarm004.ucs.indiana.edu systemd[1]: httpd.service: control process exited, code=exited status=1
> Jan 09 12:52:05 gridfarm004.ucs.indiana.edu systemd[1]: Reload failed for The Apache HTTP Server.
> -- Subject: Unit httpd.service has finished reloading its configuration
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit httpd.service has finished reloading its configuration
> --
> -- The result is failed.
> Jan 09 12:52:05 gridfarm004.ucs.indiana.edu httpd[11767]: AH00112: Warning: DocumentRoot [/www/default] does not exist
> Jan 09 12:52:05 gridfarm004.ucs.indiana.edu systemd[1]: Reloaded The Apache HTTP Server.
> -- Subject: Unit httpd.service has finished reloading its configuration
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit httpd.service has finished reloading its configuration
> --
> -- The result is done.
> Jan 09 12:52:07 gridfarm004.ucs.indiana.edu httpd[11796]: AH00112: Warning: DocumentRoot [/www/default] does not exist
> Jan 09 12:52:07 gridfarm004.ucs.indiana.edu httpd[11796]: AH00526: Syntax error on line 10 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
> Jan 09 12:52:07 gridfarm004.ucs.indiana.edu httpd[11796]: SSLCertificateFile: file '/var/lib/letsencrypt/I69cuV1431Lfk88VjtDFxlBPEnagdg5atz9dhGhsxfY.crt' does not exist or is empty
> Jan 09 12:52:07 gridfarm004.ucs.indiana.edu systemd[1]: httpd.service: control process exited, code=exited status=1
> Jan 09 12:52:07 gridfarm004.ucs.indiana.edu systemd[1]: Reload failed for The Apache HTTP Server.
> ...
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)