Inhaltsverzeichnis

Runbook: TLS postavljanje

Trajanje: ~15 minuta
Uloga: Security-Admin
Preduvjet: Certifikat (PFX ili PEM+KEY)

HTTPS za Data Gateway aktivirati.

Tijek rada

flowchart TD A[Start] --> B{Certifikat dostupan?} B -->|Ne| C[Certifikat pribaviti] B -->|Da| D[appsettings.json prilagoditi] C --> D D --> E[Gateway ponovno pokrenuti] E --> F[HTTPS testirati] F --> G{Uspjesno?} G -->|Da| H[HTTP deaktivirati] G -->|Ne| I[Logove provjeriti] H --> J[Gotovo] style J fill:#e8f5e9 style I fill:#ffebee

1. Certifikat pribaviti

Opcija A: Let's Encrypt (besplatno) 

# Certbot instalirati
sudo apt install certbot
 
# Certifikat zatraziti
sudo certbot certonly --standalone -d gateway.example.com
 
# Rezultat:
# /etc/letsencrypt/live/gateway.example.com/fullchain.pem
# /etc/letsencrypt/live/gateway.example.com/privkey.pem

Opcija B: Samopotpisani (samo za test!) 

# Samopotpisani certifikat kreirati
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
    -subj "/CN=gateway.example.com"
 
# U PFX konvertirati
openssl pkcs12 -export -out gateway.pfx -inkey key.pem -in cert.pem -passout pass:changeit

Opcija C: Interna CA

→ Pogledajte PQ Crypto: Certifikat izdati

2. Certifikat smjestiti

# Windows
mkdir %GATEWAY_ROOT%\certs
copy gateway.pfx %GATEWAY_ROOT%\certs\
 
# Linux
sudo mkdir -p /opt/data-gateway/certs
sudo cp cert.pem key.pem /opt/data-gateway/certs/
sudo chmod 600 /opt/data-gateway/certs/*
sudo chown datagateway:datagateway /opt/data-gateway/certs/*

3. appsettings.json konfigurirati

S PFX datotekom: 

{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/gateway.pfx",
          "Password": "changeit"
        }
      }
    }
  }
}

S PEM datotekama: 

{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/cert.pem",
          "KeyPath": "certs/key.pem"
        }
      }
    }
  }
}

TLS verziju forsirati: 

{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/gateway.pfx",
          "Password": "changeit"
        },
        "SslProtocols": ["Tls12", "Tls13"]
      }
    }
  }
}

4. Gateway ponovno pokrenuti

# Windows
Restart-Service -Name "DataGateway"
 
# Linux
sudo systemctl restart data-gateway
 
# Docker
docker restart gateway

5. HTTPS testirati

# Jednostavan test
curl -k https://localhost/health
 
# S provjerom certifikata
curl https://gateway.example.com/health
 
# TLS detalje prikazati
curl -v https://gateway.example.com/health 2>&1 | grep -E "SSL|TLS|subject|expire"
 
# OpenSSL test
openssl s_client -connect gateway.example.com:443 -servername gateway.example.com

6. HTTP deaktivirati (opcionalno)

Samo HTTPS dozvoliti: 

{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/gateway.pfx",
          "Password": "changeit"
        }
      }
    }
  }
}

Ili HTTP→HTTPS Redirect: 

// Program.cs
app.UseHttpsRedirection();

7. Kontrolna lista

# Provjera Da/Ne
———–
1 Certifikat valjan (nije istekao) -
2 Certifikat za ispravan hostname -
3 Private Key zasticen (chmod 600) -
4 HTTPS dostupan -
5 TLS 1.2+ aktivan -
6 HTTP deaktiviran ili Redirect -
7 Firewall Port 443 otvoren -

Rjesavanje problema

Problem Uzrok Rjesenje
————————–
Unable to configure HTTPS Pogresan put Certifikat-put provjeriti
Password incorrect Pogresna PFX lozinka Lozinku provjeriti
Certificate expired Certifikat istekao Novi certifikat
SSL_ERROR_RX_RECORD_TOO_LONG HTTP umjesto HTTPS Port/Protocol provjeriti
NET::ERR_CERT_COMMON_NAME_INVALID CN/SAN pogresan Certifikat s ispravnim imenom

SSL test online

Za javno dostupne servere:

Povezani runbookovi

« <- Sigurnost | -> Certifikat obnoviti »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional

, , , , ,