When the server has SELinux enabled, I can't even change the location of DocumentRoot. It kept giving me error about "DocumentRoot /var/www/newdir/html does not exist".

This is because the SELinux policy will deny httpd access to any unlabelled files by default.

Instead of disabling SELinux, we could try toggle the SELinux rule settings.

To see all SELinux values, do:
root# getsebool -a

To see all the apache related SELinux boolean values, do:
root# getsebool -a | grep httpd

This is recorded on CentOS-5, Apache-2.2.3. Also, reference my notes on enabling ssl on apache 2.0.63.

Install httpd and mod_ssl:
root# yum install httpd mod_ssl
root# mkdir /etc/httpd/ssl
root# cd /etc/httpd/ssl
root# vi openssl.cnf

Here you can enter your content of openssl.cnf, and then generate a private key:
root# openssl genrsa -des3 -out server.key 1024

Determine which Services are Enabled at Boot

Run the command:
# chkconfig --list | grep :on


The first column of this output is the name of a service which is currently enabled at boot. Review each listed service to determine whether it can be disabled.

If it is appropriate to disable some service srvname , do so using the command:
# chkconfig srvname off

This is recorded from CentOS4, httpd-2.0.63

To start, we make sure we have httpd and mod_ssl installed:

# yum install httpd mod_ssl
# cd /etc/httpd/conf
# vi openssl.conf

After we enter your copy of openssl.conf, we'll modify the Makefile - in the section for the target "$(CRT):", append two lines:

        cp $(KEY) $(KEY).orig
        openssl rsa -in $(KEY) -out $(KEY)

Now we can create the CSR:

If you use Firefox/Thunderbird in Mac OS, you still need to untrust the CNNIC certs follow the steps in Screenshot: Remove CNNIC from Firefox and Thunderbird.

In Mac OS X: Click Applications -> Utilities -> Keychain Access -> Certificates -> (expand with V button below) -> System Roots -> (Unlock, top left) -> Double-click the cert -> Trust -> When using this Certificate -> Never Trust.

Instead of removing CNNIC certificates from your system, we should mark them as "untrusted". This way, when your system updates its cerficates, they will not slip in. As a precaution, you might need to form the habit of checking the trusted certficates installed in your system periodically.

Mozilla and Microsoft have added CNNIC root CA to the browser's Authorities and CA directory. Chinese users are in a rush removing them from their computers. Here is a post on how to do it (in Chinese).

Discussions can be found here:

When you compile a program that need to include kernel sources, sometimes the compile might give you an warning message like below:

 *   CONFIG_SYSFS_DEPRECATED:     should not be set. But it is.
 *   CONFIG_SYSFS_DEPRECATED_V2:     should not be set. But it is.

To fix this, you will need to recompile your kernel using menuconfig, and find

When you compile your own kernel, in order to enable support for dm-crypt, please make sure you check

Device Drivers --->
     [*] Multiple devices driver support (RAID and LVM) --->
        <*> Device mapper support
        <*> Crypt target support

Remove MySQL from network

By default, MySQL listens on port 3306. Stop it from listening on any TCP/IP port if you don't use it on network.

# vi /etc/my.cnf

Change
#skip-networking
to
skip-networking

Secure the user accounts

A default install of MySQL is somewhat lacking in security. To fix that we are going to do the following: