nginx: [emerg] cannot load certificate “/etc/nginx/ssl/a.pem”: BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen(‘/etc/nginx/ssl/a.pem’,‘r’) error:2006D002:BIO routines:BIO_new_file:system lib)
Scenes
nginx cannot be accessed after configuring ssl
1. 确认443端口已开放
2. ssl 证书有效
3. nginx -t 检测正常
nginx -s reload has no exception, other domain names can also be accessed normally
Use systemctl status nginx to check the status and find exceptions
Sep 01 10:42:55 instance-1 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Sep 01 10:42:55 instance-1 nginx[5131]: nginx: [emerg] cannot load certificate "/etc/nginx/ssl/a.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission deni...file:system lib)
Sep 01 10:42:55 instance-1 nginx[5131]: nginx: configuration file /etc/nginx/nginx.conf test failed
Sep 01 10:42:55 instance-1 systemd[1]: nginx.service: control process exited, code=exited status=1
Sep 01 10:42:55 instance-1 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Sep 01 10:42:55 instance-1 systemd[1]: Unit nginx.service entered failed state.
Sep 01 10:42:55 instance-1 systemd[1]: nginx.service failed.
solve
It may be that SELinux is turned on, causing no permission to read the certificate.
# 查看是否打开
sestatus -v
SELinux status: enabled
If the status is disabled, it means it is closed. There is no need to look down.
# 查看
ls -lrtZ /etc/nginx/ssl/a.pem
# 恢复正确的 SELinux type
restorecon -v -R /etc/nginx/ssl/a.pem
Restart nginx and it should be fine
Other issues that may arise
nginx -s reload is invalid. It may be due to the following reasons. It is recommended to directly use systemctl restart nginx to restart.
1. nginx版本不支持 reload 命令。
2. nginx配置过程中产生了错误。
3. nginx配置文件或其他相关文件的权限不正确。