LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-13-2019, 06:54 PM   #1
tenraek
LQ Newbie
 
Registered: Mar 2003
Posts: 26

Rep: Reputation: 16
Colleague thought /etc/pki/~ was redundant du to Letsencrypt, so they deleted it *Facepalm*,


As the title says, colleague thought that /etc/pki was redundant since we use /etc/letsencrypt/~ so they rm -dr'd the it.

So now (after removing his admin privileges) I'm trying to fix our SSLs.

I decided to go back to square one and removed the Letsencrypt directories with he hopes that if I reran Certbot that fix it, but it came up With the error "SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty"

I tried recreating it manually as well as tried resinstalling Open SSL, but that didn't;t work either.

Can any one tell me what the file and permissions for the path need to be, please and thank you.

here's the full output when I tru to rerun Certbot:

Code:
sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.

AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apachectl configtest.\n\nAH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:\nSSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty\n",)
 
Old 09-13-2019, 07:51 PM   #2
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,778

Rep: Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263
On my CentOS server, /etc/pki/* directories are 755 and files are 644.
Everything is owned by root.root

I take it you don't have a backup. Doesn't look like those files change very often.
 
Old 09-17-2019, 07:59 PM   #3
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Rep: Reputation: 76
If the whole directory has been deleted, then I'd simply try to copy it from a new Linux installation. It should work without any issues.
cp -a to preserve the permissions or rsync -a, something to that effect.
 
Old 09-18-2019, 09:21 AM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,814
Blog Entries: 15

Rep: Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661
Ideally you should be doing regular backups and simply restore your most recent one of /etc/pki.

Failing that, you could do "yum reinstall" of the packages that create /etc/pki and its subdirectories.

On my CentOS7 running "rpm -qf /etc/pki /etc/pki/* /etc/pki/*/* |sort -u" outputs those packages as:
ca-certificates-2017.2.14-71.el7.noarch
centos-release-7-4.1708.el7.centos.x86_64
couchbase-release-1.0-0.x86_64
filesystem-3.2-21.el7.x86_64
nss-3.28.4-15.el7_4.x86_64
openssl-1.0.2k-8.el7.x86_64
openssl-libs-1.0.2k-8.el7.x86_64
rsyslog-8.24.0-12.el7.x86_64

Note that any certificates (root, intermediate or your own domains) you had added after the initial install you'd have to re-add manually after re-install of the packages.
 
Old 09-18-2019, 04:02 PM   #5
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Rep: Reputation: 76
I wanted to say that I suggested copying the directory from a new OS instead of reinstalling the package, because the connection to the repositories might not be secure anymore (which might lead to additional configurations etc.), but then it occurred to me that at least the base repositories use http, not https.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Music mix from a friend/colleague bartgymnast General 1 08-02-2015 04:41 PM
Error: Can't read cert file /etc/pki/tls/certs/cert.pem in Twiki jsaravana87 Linux - Server 1 09-09-2011 06:01 PM
If I have 2 DIMMS of RAM are they redundant? abefroman Linux - Server 5 01-13-2009 09:17 PM
File /etc/pki/tls/certs/ca-bundle.crt conflicts Setya Fedora 1 08-13-2008 10:28 AM
initd vs inetd vs init.d vs inet.d vs xinit.d etc - what are they, how do they differ lefty.crupps Linux - General 5 04-03-2007 02:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration