====== Runbook: Nastavitev TLS ======

<WRAP round info>
**Trajanje:** ~15 minut \\
**Vloga:** Varnostni administrator \\
**Predpogoj:** Certifikat (PFX ali PEM+KEY)
</WRAP>

Aktivacija HTTPS za Data Gateway.

----

===== Potek dela =====

<mermaid>
flowchart TD
    A[Začetek] --> B{Certifikat na voljo?}
    B -->|Ne| C[Pridobi certifikat]
    B -->|Da| D[Prilagodi appsettings.json]
    C --> D
    D --> E[Ponovno zaženi Gateway]
    E --> F[Testiraj HTTPS]
    F --> G{Uspešno?}
    G -->|Da| H[Onemogoči HTTP]
    G -->|Ne| I[Preveri dnevnike]
    H --> J[Končano]

    style J fill:#e8f5e9
    style I fill:#ffebee
</mermaid>

----

===== 1. Pridobitev certifikata =====

**Možnost A: Let's Encrypt (brezplačno)**

<code bash>
# Namesti Certbot
sudo apt install certbot

# Zahtevaj certifikat
sudo certbot certonly --standalone -d gateway.example.com

# Rezultat:
# /etc/letsencrypt/live/gateway.example.com/fullchain.pem
# /etc/letsencrypt/live/gateway.example.com/privkey.pem
</code>

**Možnost B: Samopodpisan (samo za testiranje!)**

<code bash>
# Ustvari samopodpisan certifikat
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
    -subj "/CN=gateway.example.com"

# Pretvori v PFX
openssl pkcs12 -export -out gateway.pfx -inkey key.pem -in cert.pem -passout pass:changeit
</code>

**Možnost C: Interna CA**

-> Glej [[sl:int:pqcrypt:szenarien:operator:tagesgeschaeft:zertifikat-ausstellen|PQ Crypto: Izdaja certifikata]]

----

===== 2. Namestitev certifikata =====

<code bash>
# Windows
mkdir %GATEWAY_ROOT%\certs
copy gateway.pfx %GATEWAY_ROOT%\certs\

# Linux
sudo mkdir -p /opt/data-gateway/certs
sudo cp cert.pem key.pem /opt/data-gateway/certs/
sudo chmod 600 /opt/data-gateway/certs/*
sudo chown datagateway:datagateway /opt/data-gateway/certs/*
</code>

----

===== 3. Konfiguracija appsettings.json =====

**Z datoteko PFX:**

<code json>
{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/gateway.pfx",
          "Password": "changeit"
        }
      }
    }
  }
}
</code>

**Z datotekami PEM:**

<code json>
{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/cert.pem",
          "KeyPath": "certs/key.pem"
        }
      }
    }
  }
}
</code>

**Uveljavitev TLS-verzije:**

<code json>
{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/gateway.pfx",
          "Password": "changeit"
        },
        "SslProtocols": ["Tls12", "Tls13"]
      }
    }
  }
}
</code>

----

===== 4. Ponovni zagon Gateway =====

<code bash>
# Windows
Restart-Service -Name "DataGateway"

# Linux
sudo systemctl restart data-gateway

# Docker
docker restart gateway
</code>

----

===== 5. Testiranje HTTPS =====

<code bash>
# Preprost test
curl -k https://localhost/health

# S preverjanjem certifikata
curl https://gateway.example.com/health

# Prikaz TLS-podrobnosti
curl -v https://gateway.example.com/health 2>&1 | grep -E "SSL|TLS|subject|expire"

# OpenSSL-test
openssl s_client -connect gateway.example.com:443 -servername gateway.example.com
</code>

----

===== 6. Onemogočenje HTTP (opcijsko) =====

Dovoli samo HTTPS:

<code json>
{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/gateway.pfx",
          "Password": "changeit"
        }
      }
    }
  }
}
</code>

Ali preusmeritev HTTP->HTTPS:

<code csharp>
// Program.cs
app.UseHttpsRedirection();
</code>

----

===== 7. Kontrolni seznam =====

| # | Točka preverjanja | V |
|---|-----------|---|
| 1 | Certifikat veljaven (ni potekel) | |
| 2 | Certifikat za pravilno ime gostitelja | |
| 3 | Zasebni ključ zaščiten (chmod 600) | |
| 4 | HTTPS dosegljiv | |
| 5 | TLS 1.2+ aktiven | |
| 6 | HTTP onemogočen ali preusmeritev | |
| 7 | Požarni zid port 443 odprt | |

----

===== Odpravljanje težav =====

| Težava | Vzrok | Rešitev |
|---------|---------|--------|
| ''Unable to configure HTTPS'' | Napačna pot | Preveri pot do certifikata |
| ''Password incorrect'' | Napačno geslo PFX | Preveri geslo |
| ''Certificate expired'' | Certifikat potekel | Nov certifikat |
| ''SSL_ERROR_RX_RECORD_TOO_LONG'' | HTTP namesto HTTPS | Preveri port/protokol |
| ''NET::ERR_CERT_COMMON_NAME_INVALID'' | Napačen CN/SAN | Certifikat s pravilnim imenom |

----

===== SSL-test na spletu =====

Za javno dostopne strežnike:

  * **SSL Labs:** [[https://www.ssllabs.com/ssltest/|ssllabs.com/ssltest]]
  * **Qualys:** Ciljaj na oceno A+

----

===== Povezani Runbooks =====

  * [[.:zertifikat-erneuern|Obnova certifikata]] - Postopek obnove
  * [[.:firewall-regeln|Pravila požarnega zidu]] - Odpiranje porta 443
  * [[..:monitoring:alerting|Opozarjanje]] - Nadzor certifikatov

----

<< [[.:start|<- Varnost]] | [[.:zertifikat-erneuern|-> Obnova certifikata]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional//

{{tag>operator runbook tls https zertifikat ssl}}