This took a couple days of Binging and hacking, but I finally got WordPress to auto-update on Centos 7 with SSL and without disabling SELinux.
Update 1: I should note, this is for self-hosted WordPress users.
(Anything in brackets [] is up to you to choose)
WordPress 4.4 requires FTP access to the server in order to update its self.
vsFTPd with SSL
To keep things secure, I’ve setup vsftpd with chroots (to prevent ftp accounts from going outside of where they should be) and SSL.
Install vsfptd
sudo yum install vsftpd
Edit the configuration file
sudo nano /etc/vsftpd/vsftpd.conf
The following options should already be in your config file and can just be changed:
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
The rest should be added to the bottom of the config file.
I’m assuming you already have an SSL cert you are using for your website. You can use this cert for vsftpd as well.
# Keep non-chroot listed users jailed
allow_writeable_chroot=YES
#SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/[your ssl cert].crt
rsa_private_key_file=/etc/pki/tls/private/[your ssl cert key].key
Now you can enable and start the FTP server
sudo systemctl enable vsftp
sudo systemctl start vsftp
Next, create a user that will be used for FTP.
It’s important to set the home directory with the “-d” option to where your website files are. I’m assuming the default /var/www/html.
sudo adduser -d /var/www/html [ftp-user]
Set a password for the user. Make sure to choose something secure!
sudo passwd [ftp-user]
Add the user to the apache group, so that it will have write access to /var/www/html/*
sudo gpasswd -a [ftp-user] apache
Make sure that apache has read/write to the WordPress files
sudo chown apache:apache /var/www/html/*
sudo chmod -R g+w /var/www/html/*
SELinux
To the best of my knowledge, these are the SELinux commands necessary for both the vsftpd as well as for Apache to FTP into the server and update itself.
SELinux booleans to enable the functionality we need
setsebool -P ftp_home_dir=on
setsebool -P ftpd_full_access=on
setsebool -P httpd_can_network_connect=on
setsebool -P httpd_can_connect_ftp=on
SELinux needs to be told that Apache has permission to write the files in /var/www/html and its subfolders
sudo chcon -R -v -t httpd_sys_rw_content_t /var/www/html
Let’s test the FTP server to make sure you can connect
First, install the lftp client
sudo yum install lftp
Connect to the FTP server
lftp -d -u [ftp-user] -e 'set ftp:ssl-force true' 127.0.0.1
Run
ls
and make sure you get a directory listing. If not, you’ll need to use the debug data printed to troubleshoot further (I sure did, I hope you won’t).
Assuming that works, the last step is to set edit wp-config.php with the FTP server settings
sudo nano /var/www/wp-config.php
Under the database settings, add a section:
/*** FTP login settings ***/
define("FTP_HOST", "127.0.0.1");
define("FTP_USER", "[ftp-user]");
define("FTP_PASS", "[ftp-user-password]");
It may not be necessary, but I like to restart Apache just to be sure
sudo systemctl restart httpd
Finally, log into WordPress and try to update something simple, like a theme or plugin. It should work!