Duration: ~10 minutes
Role: Security Admin
Frequency: Every 90 days (Let's Encrypt) or annually
Renewal of TLS certificate for the Data Gateway.
# Check current certificate openssl s_client -connect gateway.example.com:443 -servername gateway.example.com 2>/dev/null | \ openssl x509 -noout -dates # Days until expiry echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \ openssl x509 -noout -enddate | \ cut -d= -f2 | \ xargs -I {} bash -c 'echo "Days until expiry: $(( ($(date -d "{}" +%s) - $(date +%s)) / 86400 ))"'
# Automatic (if certbot correctly configured) sudo certbot renew # With pre/post hook for Gateway sudo certbot renew \ --pre-hook "systemctl stop data-gateway" \ --post-hook "systemctl start data-gateway" # Dry run (without actual renewal) sudo certbot renew --dry-run
Automation via cron:
# /etc/cron.d/certbot-gateway 0 3 * * * root certbot renew --quiet --post-hook "systemctl reload data-gateway"
# Create CSR openssl req -new -key gateway.key -out gateway.csr \ -subj "/CN=gateway.example.com/O=Example Corp" # Send CSR to CA (e.g., via PQ Crypto) # -> New certificate: gateway-new.crt
See: PQ Crypto: Renew Certificate
1. Log in at provider (DigiCert, GlobalSign, etc.) 2. Request renewal 3. Upload CSR or generate new 4. Complete validation 5. Download new certificate
# Create backup cp /opt/data-gateway/certs/gateway.pfx /opt/data-gateway/certs/gateway.pfx.bak.$(date +%Y%m%d) # Or for PEM cp /opt/data-gateway/certs/cert.pem /opt/data-gateway/certs/cert.pem.bak.$(date +%Y%m%d)
# PEM format sudo cp new-cert.pem /opt/data-gateway/certs/cert.pem sudo cp new-key.pem /opt/data-gateway/certs/key.pem sudo chmod 600 /opt/data-gateway/certs/*.pem # PFX format sudo cp new-gateway.pfx /opt/data-gateway/certs/gateway.pfx sudo chmod 600 /opt/data-gateway/certs/gateway.pfx
# Linux sudo systemctl restart data-gateway # Windows Restart-Service -Name "DataGateway" # Docker docker restart gateway # Kubernetes (Rolling Update) kubectl rollout restart deployment/data-gateway -n data-gateway
# New certificate active? echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \ openssl x509 -noout -subject -dates # Health Check curl https://gateway.example.com/health # Full SSL test openssl s_client -connect gateway.example.com:443 -servername gateway.example.com
# Restore backup sudo cp /opt/data-gateway/certs/gateway.pfx.bak.20241215 /opt/data-gateway/certs/gateway.pfx # Restart Gateway sudo systemctl restart data-gateway # Verify curl https://gateway.example.com/health
| # | Check | Done |
| — | ——- | —— |
| 1 | Old certificate backed up | [ ] |
| 2 | New certificate valid | [ ] |
| 3 | Hostnames match | [ ] |
| 4 | Certificate installed | [ ] |
| 5 | Gateway restarted | [ ] |
| 6 | HTTPS working | [ ] |
| 7 | Monitoring notified | [ ] |
| Problem | Cause | Solution |
| ——— | ——- | ———- |
Certificate mismatch | Key doesn't match | Regenerate key |
Chain incomplete | Intermediate missing | Add chain file |
Permission denied | Wrong permissions | chmod 600 |
| Gateway won't start | Wrong password | Check appsettings.json |
Prometheus alert for certificate expiry:
- alert: GatewayCertExpiringSoon expr: | (probe_ssl_earliest_cert_expiry{job="gateway-tls"} - time()) / 86400 < 14 for: 1h labels: severity: warning annotations: summary: "Gateway certificate expiring soon" description: "Certificate expires in {{ $value | humanize }} days."
« <- Set Up TLS | -> Firewall Rules »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional