Use Let’s Encrypt for ssl certificate

From this web site follow the instructions to update your server web environment:

$ yum -y install yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
yum install certbot python2-certbot-apache

then run this for the website sample.lu

certbot -i apache -d sample.lu -d www.sample.lu --server https://acme-v02.api.letsencrypt.org/directory -a webroot --webroot-path=/var/www

this the result

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot, Installer apache

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to

cancel): [email protected]

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

(A)gree/(C)ancel: A

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let’s Encrypt project and the non-profit

organization that develops Certbot? We’d like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

(Y)es/(N)o: Y

Starting new HTTPS connection (1): supporters.eff.org

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for sample.lu

http-01 challenge for www.sample.lu

Using the webroot path /var/www/sample.lu/web for all unmatched domains.

Waiting for verification…

Cleaning up challenges

Resetting dropped connection: acme-v02.api.letsencrypt.org

Deploying Certificate to VirtualHost /etc/httpd/conf/sites-enabled/100-sample.lu.vhost

Deploying Certificate to VirtualHost /etc/httpd/conf/sites-enabled/100-sample.lu.vhost

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

1: No redirect – Make no further changes to the webserver configuration.

2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you’re confident your site works on HTTPS. You can undo this

change by editing your web server’s configuration.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

Redirecting vhost in /etc/httpd/conf/sites-enabled/100-sample.lu.vhost to ssl vhost in /etc/httpd/conf/sites-enabled/100-sample.lu.vhost

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Congratulations! You have successfully enabled https://sample.lu and

https://www.sample.lu

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=sample.lu

https://www.ssllabs.com/ssltest/analyze.html?d=www.sample.lu

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

IMPORTANT NOTES:

– Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/sample.lu/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/sample.lu/privkey.pem

   Your cert will expire on 2019-06-11. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the “certonly” option. To non-interactively renew *all* of

   your certificates, run “certbot renew”

– Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

– If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

Yum Errors

[Errno 14] HTTP/HTTPS Error 404

[Errno 14] PYCURL ERROR 22 – “The requested URL returned error: 403”

[Errno 14] Error 60 – It was impossible to connect to the CentOS servers

Summary

When trying to install or update packages using yum on client systems, yum is failing with one of the following errors:

[Errno 14] HTTP Error 404: Not Found
[Errno 14] HTTPS Error 404 - Not Found
[Errno 14] HTTP Error 404: Status 404
[Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403"
[Errno 14] Error 60 - It was impossible to connect to the CentOS servers

Leading Causes

1. You are not connected to the internet.

2. This issue can also occur if the system is able to communicate with given server but could not find or access the requested package or path on the server.

3. You have a misconfigured proxy server.

Fixes

1. Validate the system can see things on the internet.

2. This issue can also occur due to corruption of the local machine cache, try to clear cache on system:

yum clean all 
rm -rf /var/cache/yum/*

3. If you have a proxy server, validate it is configured properly in /etc/yum.conf. Here is an example (your names, passwords, and port numbers will obviously be different).

proxy=http://mystuff.mydomain.com:1234
# Account details for yum connections
proxy_username=proxy-user
proxy_password=proxy-password

If that does not work or if you still need help, try one of our community help platforms:

Setup sftp user

List of user’s group
# groups username

# adduser username -g sftp -s /sbin/nologin
# passwd username

in general to add a new group

# groupadd

in general to add user to a group

#usermod -G group username

Open and add the following lines to /etc/ssh/sshd_config configuration file:

list of groups and its users
#  cat /etc/group

Subsystem sftp internal-sftp
 
   Match Group sftp
   ChrootDirectory /home/%u
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

# systemctl restart sshd
OR
# service sshd restart

then check the user home directory permissions
# ls /home/ -ltra
in case run this
# chmod 755 /home/username/
# chown root:sftp /home/username/ -Rf
# chown username:sftp /home/username/basedir

I had this error when I tried to create folder in basedir:
mkdir /New directory: permission denied

after googlig a lot I found this here (Thanks):
# setsebool -P ssh_chroot_rw_homedirs on
# restorecon -R /home/username
After this, sftp works as expected, even when chrooted, without having to disable SELinux completely.