When configuring SSL/TLS in Nginx, one of the most common yet frustrating errors is the permission denial when accessing certificate files. The error message typically appears as:
nginx[30854]: nginx: [emerg]
SSL_CTX_use_certificate_chain_file("/etc/nginx/demo.crt") failed
(SSL: error:0200100D:system library:fopen:Permission denied...e:system lib)
nginx[30854]: nginx: configuration file /etc/nginx/nginx.conf test failed
Nginx worker processes run under a specific user (usually nginx or www-data) that needs read access to both the certificate (.crt) and private key (.key) files. The default permission 640 for root ownership often causes this issue.
Here's what your file permissions might look like:
ls -l /etc/nginx/ssl/
-rw-r--r-- 1 root root 1679 Sep 20 demo.key
-rw-r--r-- 1 root root 1346 Sep 20 demo.crt
The most secure approach is to:
- Create a dedicated SSL directory
- Set proper ownership
- Apply restrictive permissions
sudo mkdir /etc/nginx/ssl
sudo chown root:nginx /etc/nginx/ssl
sudo chmod 750 /etc/nginx/ssl
sudo mv /etc/nginx/demo.* /etc/nginx/ssl/
sudo chmod 640 /etc/nginx/ssl/demo.key
sudo chmod 644 /etc/nginx/ssl/demo.crt
On Fedora systems, SELinux adds another layer of security that might block access:
sudo chcon -R -t httpd_sys_content_t /etc/nginx/ssl/
sudo restorecon -Rv /etc/nginx/ssl/
After making changes, always test:
sudo nginx -t
sudo systemctl restart nginx
Check the status with:
systemctl status nginx.service
journalctl -xe
If you still face issues, consider these approaches:
# Option 1: Add nginx user to root group (not recommended for production)
sudo usermod -a -G root nginx
# Option 2: Relax permissions temporarily for debugging
sudo chmod 644 /etc/nginx/ssl/demo.key
- Never use 777 permissions
- Keep private keys truly private (600 permissions)
- Use separate certificates for different domains
- Consider using Let's Encrypt with certbot for automated management
When configuring SSL/TLS with Nginx, a common but frustrating error occurs when the web server cannot access certificate files due to permission restrictions. The error message typically looks like this:
nginx[30854]: nginx: [emerg] SSL_CTX_use_certificate_chain_file("/etc/nginx/demo.crt")
failed (SSL: error:0200100D:system library:fopen:Permission denied...e:system lib)
On Linux systems, Nginx typically runs under a dedicated user (usually nginx or www-data). The current file permissions (-rw-r--r--. 1 root root) only allow root to write, while others can only read. However, SELinux (on Fedora/RHEL) or directory permissions may prevent even read access.
Here's how to properly fix this with security in mind:
# 1. Verify Nginx running user (common variations)
ps aux | grep nginx
cat /etc/nginx/nginx.conf | grep user
# 2. Set correct ownership (adjust user/group for your system)
sudo chown nginx:nginx /etc/nginx/demo.crt
sudo chown nginx:nginx /etc/nginx/demo.key
# 3. Set restrictive permissions (certs shouldn't be world-readable)
sudo chmod 640 /etc/nginx/demo.crt
sudo chmod 640 /etc/nginx/demo.key
# 4. For SELinux systems (Fedora/RHEL):
sudo chcon -Rt httpd_sys_content_t /etc/nginx/demo.crt
sudo chcon -Rt httpd_sys_content_t /etc/nginx/demo.key
For production environments, consider these security practices:
# Create dedicated SSL directory with proper permissions
sudo mkdir /etc/nginx/ssl
sudo chown root:nginx /etc/nginx/ssl
sudo chmod 750 /etc/nginx/ssl
# Move certificates to secure location
sudo mv /etc/nginx/demo.* /etc/nginx/ssl/
# Update nginx.conf accordingly
ssl_certificate /etc/nginx/ssl/demo.crt;
ssl_certificate_key /etc/nginx/ssl/demo.key;
If problems continue:
# Check directory permissions (execute bit required for path traversal)
namei -l /etc/nginx/ssl/demo.crt
# Verify SELinux context
ls -Z /etc/nginx/ssl/demo.crt
# Test Nginx configuration
sudo nginx -t
# Check audit logs for SELinux denials
sudo ausearch -m avc -ts recent | grep nginx