Almost every website requires the use of SSL certificates to secure their content, and NGINX is a popular web server, for this purpose, by most websites these days. Although it is fairly easy to setup SSL certificates to be loaded via NGINX, sometimes you will find that it is unable to do so, even if the SSL certificate files are right where you have mentioned in NGINX configuration. In this article, we will learn how to fix NGINX unable to load SSL certificate.
How to Fix NGINX Unable to Load SSL Certificate
The main reason why NGINX is unable to load SSL certificate is because it does not have the right permissions or ownership.
1. Check file ownership and permissions
The most common reason why this happens is because NGINX does not have the permission to read these files. When you run NGINX server it runs as a specific Linux user on your system. If that user does not have the permission and/or ownership to access your SSL certificate files it will be unable to load them. Run the following command to check the username of NGINX process.
# ps aux | grep nginx
Let us say your certificate files are located at /etc/nginx/ssl. Run the following command to check its ownership and permissions.
# ls -l -rwx------ 1 root root 1346 Sep 3 14:36 server.crt -rwx------ 1 root root 1115 Sep 3 14:36 server.csr -rwx------ 1 root root 1743 Sep 3 14:35 server.key
As you can see in above sample output, only root user has the permission to read these files. If that is the case, then you need to run NGINX server as root user or change the permission and ownership of your certificate files to allow your present NGINX user to be able to read them.
Here is an example to make www-data as the owner of these files and allow it to read these files. www-data is the typical username used by servers like Apache and NGINX to run their processes.
# chown www-data:www-data -R /etc/nginx/ssl # chmod 755 -R /etc/nginx/ssl
If you want to be more restrictive, you can use 744 or 740 as permission. Basically, you just need to ensure that non-root users do not have write permission to these files.
Also, when creating SSL certificate, make sure you do not set a passphrase for the key. Else NGINX will need to pass the passphrase every time it accesses the key. If you have not setup NGINX to automatically do this, then it will be unable to load SSL certificate. So it is better to avoid passphrase while creating secret key for SSL certificates.
2. Check SELinux
In some cases, SELinux may be in enforcing mode, so it prevents NGINX access to SSL certificate files. Run the following command to check it.
# sestatus -v
Then check audit logs to get the type of enforcement used by SELinux to prevent access to SSL certificates.
# ausearch -m avc -ts today | audit2allow
Check the security configuration of SSL files with the following command.
# ls -lrtZ /etc/nginx/ssl/*
If needed, you can correct it with the following command.
$ restorecon -v -R /etc/nginx/ssl
In this article, we have learnt a couple of simple ways to fix the problem when NGINX is unable to load SSL certificate.
How to Fix Server Quit Without Updating PID MySQL Error
How to Change Apache Config Without Restarting
How to Change NGINX Config Without Restarting
How to Get Selected Text from Dropdown in jQuery