SELinux doesn't allow to load certificate

[mamedin]

When using SELinux in enforcing mode, you can have the error:

[root@localhost]# tail /var/log/nginx/error.log
2024/10/03 03:24:01 [emerg] 18385#18385: chown("/dev/null", 996) failed (13: Permission denied)
2024/10/03 08:21:13 [emerg] 25773#25773: cannot load certificate "/var/lib/acme/live/XXXXXXXXX/fullchain": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/var/lib/acme/live/XXXXXXXXX/fullchain','r') error:2006D002:BIO routines:BIO_new_file:system lib)
2024/10/03 08:21:48 [emerg] 25799#25799: cannot load certificate "/var/lib/acme/live/XXXXXXXXXX/fullchain": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/var/lib/acme/live/XXXXXXXXXXXXX/fullchain','r') error:2006D002:BIO routines:BIO_new_file:system lib)
2024/10/03 08:22:44 [emerg] 25864#25864: cannot load certificate "/var/lib/acme/live/XXXXXXXXX/fullchain": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/var/lib/acme/live/XXXXXXXXXXX/fullchain','r') error:2006D002:BIO routines:BIO_new_file:system lib)
[root@sfu-test-atom sites-enabled]# ls /var/lib/acme/live/XXXXXXXXX/fullchain

Fixed with:

sudo chcon -t httpd_sys_content_t /var/lib/acme/live/*/*
sudo service nginx restart

[mamedin]

it could be fixed with:

        - name: "SELinux: set file context to allow nginx access LE cert dir"
          sefcontext:
            target: "/var/lib/acme(/.*)?"
            setype: "httpd_sys_content_t"
            state: "present"

(Done in uvic playbook)