When installing your new SSL certificate, after reloading or restarting apache you’re facing “failed to retrieve rpm info”?

Don’t panik, it’s just SELinux that is playing with you.

First, install policycoreutils-gui in order to have a more explicit error message (and also because it helps manipulating

$> yum -y install policycoreutils-gui

Now try again to reload or restart you apache service, and look at the detail of the error:

$> journalctl -xe
...
juil. 05 12:35:44 yourvm setroubleshoot[37299]: failed to retrieve rpm info for /etc/certs/yourdomain.com.crt
juil. 05 12:35:44 yourvm dbus-daemon[1038]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.419' (uid=991 pid=37299 comm="/usr/libexec/pla>
juil. 05 12:35:45 yourvm dbus-daemon[1038]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
juil. 05 12:35:46 yourvm setroubleshoot[37299]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /etc/certs/yourdomain.com.crt. For complete SELinux messages run: sealert -l>
juil. 05 12:35:46 yourvm setroubleshoot[37299]: SELinux is preventing /usr/sbin/httpd from getattr access on the file /etc/certs/yourdomain.com.crt.
...

Nice, now we have another message that talks about SELinux.

Also, you can have more precise error log inside SELinux alerts output:

$> sealert -a /var/log/audit/audit.log | less

The solution is to set the SELinux security context of the file causing the problem.

You can use the chcon command (as “change context”), but your context labelling on the file will not persist after a reboot of your machine:

$> chcon -R -t httpd_sys_content_t /etc/certs/yourdomain.com.crt

The best way to do it, is to set it permanently like this:

$> semanage fcontext -a -t httpd_sys_content_t "/etc/certs/yourdomain.com.crt"
$> restorecon -v /etc/certs/yourdomain.com.crt
$> ls -Z /etc/certs/yourdomain.novrh.crt

semanage sets the context permanently. This context set is persistent against a filesystem relabelling and also against a restorecon command that restore default SELinux scurity context.

option -a (--add) allow adding a context entry.

option -t (--type) specify the context type, here httpd_sys_content_t.

The option -Z used with ls makes the ls command display the files security labelling.

If you want to apply semanage on a whole directory you can do this:

$> semanage fcontext -a -t httpd_sys_content_t "/etc/certs(/.*)?"
$> restorecon -R -v /etc/certs

Then reload (or restart) your apache service, and the error is gone!