Post Fedora Server upgrade to FC38; Apache httpd server no longer honors Lets Encrypt keys

By | May 21, 2023

If you have upgraded your Fedora Server to Fedora 38 and Apache HTTP Server is no longer honoring the Let’s Encrypt keys, there could be a few possible reasons and troubleshooting steps you can take:

  1. Apache Configuration Changes: Check if there have been any changes in the Apache configuration files during the Fedora upgrade. Verify that the VirtualHost configuration for your website still includes the correct SSL/TLS settings and points to the correct Let’s Encrypt key and certificate files.Example configuration:
    <VirtualHost *:443>
    DocumentRoot /var/www/html
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/

    # Other configuration directives…

    Make sure the paths to the Let’s Encrypt key and certificate files are correct and accessible by the Apache user.

  2. Certbot Auto-Renewal: Check if the Certbot auto-renewal process is still running and successfully renewing the Let’s Encrypt certificates. Run the following command to check the status:
    sudo certbot renew --dry-run

    This will simulate the renewal process and display any error messages or issues encountered. Ensure that the renewal process completes without errors.

  3. SELinux Policies: Fedora uses SELinux by default, and a system upgrade can sometimes modify SELinux policies. Check if SELinux is blocking Apache from accessing the Let’s Encrypt keys. Review the SELinux audit logs (/var/log/audit/audit.log) for any related denial messages. If SELinux is blocking access, you can update the SELinux context of the Let’s Encrypt key files using the chcon command:
    sudo chcon -Rv --type=httpd_sys_content_t /etc/letsencrypt/live/

    This command updates the SELinux context for the Let’s Encrypt directory and its contents to allow Apache to access them.

  4. Apache and OpenSSL Compatibility: Verify that the Apache HTTP Server version and the OpenSSL version on Fedora 38 are compatible with each other. In some cases, an upgrade might introduce changes that affect the compatibility between Apache and OpenSSL. Ensure that both Apache and OpenSSL are up to date and compatible.
  5. Verify Let’s Encrypt Certificates: Double-check that the Let’s Encrypt certificates are still valid and have not expired. You can use the Certbot command to view the certificate details:
    sudo certbot certificates

    This command will display information about the installed certificates, including their expiration dates. If the certificates have expired, you need to renew them using Certbot.

  6. Check Apache Error Logs: Review the Apache error logs (/var/log/httpd/error_log or /var/log/apache2/error.log) for any error messages related to SSL/TLS or Let’s Encrypt. The logs might provide additional information about the issue, such as permission errors or SSL configuration problems.

By following these troubleshooting steps, you should be able to identify and resolve the issue with Apache HTTP Server not honoring the Let’s Encrypt keys after upgrading Fedora Server to version 38.

Leave a Reply

Your email address will not be published. Required fields are marked *