If you’re renewing SSL certificates using a new certificate and intermediate files like yournewcert.crt and newintermediatecert.crt and your Apache isn’t restarting, then this might be the fix for you! First, check your error logs:
tail -50 /var/log/httpd/error_log
If it’s showing an error similar to:
(13)Permission denied: Init: Can't open server certificate file /path/to/cert/yournewcert.crt
The solution that worked for us is typing these commands to change the how SELinux sees your new certificate and intermediate certificate:
chcon unconfined_u:object_r:httpd_config_t:s0 /path/to/cert/yournewcert.crt chcon unconfined_u:object_r:httpd_config_t:s0 /path/to/cert/newintermediatecert.crt
The culprit of this issue is the Security Enhanced Linux (SELinux) which is a Kernel Security Module of various Linux distros. The chcon command assists in changing the SELinux context or TYPE of what is typically just one or occasionally a few files that may be quickly addressed with a wildcard. An erroneous SELinux context can be fixed using chcon, semanage, and restorecon.