Use Let’s Encrypt for ssl certificate

From this web site follow the instructions to update your server web environment:

$ yum -y install yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
yum install certbot python2-certbot-apache

then run this for the website sample.lu

 certbot certonly --apache -d pennellificioeurope.it -d www.pennellificioeurope.it

or

certbot run -a webroot -i apache -w /path_to_web -d solci.eu -d www.solci.eu

this the result

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot, Installer apache

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to

cancel): postmaster@saic.it

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

(A)gree/(C)ancel: A

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let’s Encrypt project and the non-profit

organization that develops Certbot? We’d like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

(Y)es/(N)o: Y

Starting new HTTPS connection (1): supporters.eff.org

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for sample.lu

http-01 challenge for www.sample.lu

Using the webroot path /var/www/sample.lu/web for all unmatched domains.

Waiting for verification…

Cleaning up challenges

Resetting dropped connection: acme-v02.api.letsencrypt.org

Deploying Certificate to VirtualHost /etc/httpd/conf/sites-enabled/100-sample.lu.vhost

Deploying Certificate to VirtualHost /etc/httpd/conf/sites-enabled/100-sample.lu.vhost

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

1: No redirect – Make no further changes to the webserver configuration.

2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you’re confident your site works on HTTPS. You can undo this

change by editing your web server’s configuration.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

Redirecting vhost in /etc/httpd/conf/sites-enabled/100-sample.lu.vhost to ssl vhost in /etc/httpd/conf/sites-enabled/100-sample.lu.vhost

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Congratulations! You have successfully enabled https://sample.lu and

https://www.sample.lu

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=sample.lu

https://www.ssllabs.com/ssltest/analyze.html?d=www.sample.lu

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

IMPORTANT NOTES:

– Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/sample.lu/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/sample.lu/privkey.pem

   Your cert will expire on 2019-06-11. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the “certonly” option. To non-interactively renew *all* of

   your certificates, run 

sudo certbot renew –dry-run

for test

sudo certbot renew

for prod

or

/opt/certbot/certbot-auto renew -i apache -a webroot

single domain CORRECT to USE

certbot --apache certonly -n -d domain.com

remember to deactivate cloudfare dns proxy CDN and to deactivate any apache tomcat redirection before to run the renew.

– Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

– If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

To renew seafile.saic.it do : 

mv /etc/httpd/conf.d/seafile.conf /etc/httpd/conf.d/seafile.conf.tmp

service httpd restart

/opt/certbot/certbot-auto renew -i apache -a webroot

service httpd restart

mv /etc/httpd/conf.d/seafile.conf.tmp /etc/httpd/conf.d/seafile.conf

To update an existing domain with adding a new subdomain

--expand tells Certbot to update an existing certificate with a new certificate that contains all of the old domains and one or more additional new domains. With the --expand option, use the -d option to specify all existing domains and one or more new domains.

Example:

certbot --expand -d existing.com,example.com,newdomain.com

If you prefer, you can specify the domains individually like this:

certbot --expand -d existing.com -d example.com -d newdomain.com

TO DELETE THE CERTIFICATE:

1. Verifica l’elenco dei certificati gestiti da Certbot

Esegui il comando seguente per visualizzare tutti i certificati attualmente gestiti da Certbot:

certbot certificates

Troverai una lista dei certificati attivi, con informazioni come il dominio principale, eventuali domini aggiuntivi, e il percorso del file di configurazione.

2. Identifica il certificato da rimuovere

Annota il nome del dominio o il cert name associato al certificato che desideri rimuovere.

3. Elimina il certificato

Per rimuovere il certificato e la sua configurazione dai rinnovi automatici, usa il comando:

certbot delete --cert-name nome-certificato

Sostituisci nome-certificato con il valore del Cert Name trovato nel passo precedente.

 

 

from here 

certbot docs

Linux Access to shared Windows Folder command

mount -t cifs //192.168.51.21/SWIFT-production/ /mnt/SWIFT-production -o user=foras,domain=farad.local

to give all permission

mount -t cifs //192.168.51.21/SWIFT-production/ /mnt/SWIFT-production -o user=foras,domain=farad.local,rw,file_mode=0777,dir_mode=0777

remove user tomcat from group root : gpasswd -d tomcat root

unmount with force a folder : umount -f -l /mnt/SWIFT-production/ 

 

Yum Errors

[Errno 14] HTTP/HTTPS Error 404

[Errno 14] PYCURL ERROR 22 – “The requested URL returned error: 403”

[Errno 14] Error 60 – It was impossible to connect to the CentOS servers

Summary

When trying to install or update packages using yum on client systems, yum is failing with one of the following errors:

[Errno 14] HTTP Error 404: Not Found
[Errno 14] HTTPS Error 404 - Not Found
[Errno 14] HTTP Error 404: Status 404
[Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403"
[Errno 14] Error 60 - It was impossible to connect to the CentOS servers

Leading Causes

1. You are not connected to the internet.

2. This issue can also occur if the system is able to communicate with given server but could not find or access the requested package or path on the server.

3. You have a misconfigured proxy server.

Fixes

1. Validate the system can see things on the internet.

2. This issue can also occur due to corruption of the local machine cache, try to clear cache on system:

yum clean all 
rm -rf /var/cache/yum/*

3. If you have a proxy server, validate it is configured properly in /etc/yum.conf. Here is an example (your names, passwords, and port numbers will obviously be different).

proxy=http://mystuff.mydomain.com:1234
# Account details for yum connections
proxy_username=proxy-user
proxy_password=proxy-password

If that does not work or if you still need help, try one of our community help platforms:

Setup sftp user

List of user’s group
# groups username

# adduser username -g sftp -s /sbin/nologin
# passwd username

in general to add a new group

# groupadd

in general to add user to a group

#usermod -G group username

Open and add the following lines to /etc/ssh/sshd_config configuration file:

list of groups and its users
#  cat /etc/group

Subsystem sftp internal-sftp
 
   Match Group sftp
   ChrootDirectory /home/%u
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

# systemctl restart sshd
OR
# service sshd restart

then check the user home directory permissions
# ls /home/ -ltra
in case run this
# chmod 755 /home/username/
# chown root:sftp /home/username/ -Rf
# chown username:sftp /home/username/basedir

I had this error when I tried to create folder in basedir:
mkdir /New directory: permission denied

after googlig a lot I found this here (Thanks):
# setsebool -P ssh_chroot_rw_homedirs on
# restorecon -R /home/username
After this, sftp works as expected, even when chrooted, without having to disable SELinux completely.

——other explanation——

This tutorial will help you to create SFTP only user (without ssh access) on CentOS and RedHat systems. The user can connect the server with SFTP access only and allowed to access the specified directory. User can’t SSH into the server. Follow the below tutorial to create sftp only account.

Step 1 – Create Account

First of all, create a user account to use for sftp access. Below command will create user named sftpuser with no shell access.

sudo adduser --shell /bin/false sftpuser
sudo passwd sftpuser

Step 2 – Create Directory

Now, create the directory structure to be accessible by sftp user.

sudo mkdir -p /var/sftp/files

Change the ownership of the files directory to sftp user. So that sftpuser can read and write on this directory.

sudo chown sftpuser:sftpuser /var/sftp/files

And set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group member and other account have only read and execute permissions.

sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp

Step 3 – Configure SSH for SFTP

Now edit the SSH configuration file in a text editor

sudo vim /etc/ssh/sshd_config

and add the following settings at end of file.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the configuration and restart SSH service to apply changes.

sudo systemctl restart sshd.service