Trajanje: ~10 minuta
Uloga: Security-Admin
Ucestalost: Svakih 90 dana (Let's Encrypt) ili godisnje
Obnova TLS certifikata za Data Gateway.
# Aktualni certifikat provjeriti openssl s_client -connect gateway.example.com:443 -servername gateway.example.com 2>/dev/null | \ openssl x509 -noout -dates # Dana do isteka echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \ openssl x509 -noout -enddate | \ cut -d= -f2 | \ xargs -I {} bash -c 'echo "Dana do isteka: $(( ($(date -d "{}" +%s) - $(date +%s)) / 86400 ))"'
# Automatski (ako je certbot ispravno postavljen) sudo certbot renew # S Pre/Post-Hook za Gateway sudo certbot renew \ --pre-hook "systemctl stop data-gateway" \ --post-hook "systemctl start data-gateway" # Probni rad (bez stvarne obnove) sudo certbot renew --dry-run
Automatizacija preko Crona:
# /etc/cron.d/certbot-gateway 0 3 * * * root certbot renew --quiet --post-hook "systemctl reload data-gateway"
# CSR kreirati openssl req -new -key gateway.key -out gateway.csr \ -subj "/CN=gateway.example.com/O=Example Corp" # CSR poslati CA-i (npr. preko PQ Crypto) # -> Novi certifikat: gateway-new.crt
Pogledajte: PQ Crypto: Certifikat obnoviti
1. Prijaviti se kod ponuditelja (DigiCert, GlobalSign, itd.) 2. Renewal zatraziti 3. CSR uploadati ili novo generirati 4. Validaciju provesti 5. Novi certifikat preuzeti
# Backup kreirati cp /opt/data-gateway/certs/gateway.pfx /opt/data-gateway/certs/gateway.pfx.bak.$(date +%Y%m%d) # Ili za PEM cp /opt/data-gateway/certs/cert.pem /opt/data-gateway/certs/cert.pem.bak.$(date +%Y%m%d)
# PEM format sudo cp new-cert.pem /opt/data-gateway/certs/cert.pem sudo cp new-key.pem /opt/data-gateway/certs/key.pem sudo chmod 600 /opt/data-gateway/certs/*.pem # PFX format sudo cp new-gateway.pfx /opt/data-gateway/certs/gateway.pfx sudo chmod 600 /opt/data-gateway/certs/gateway.pfx
# Linux sudo systemctl restart data-gateway # Windows Restart-Service -Name "DataGateway" # Docker docker restart gateway # Kubernetes (Rolling Update) kubectl rollout restart deployment/data-gateway -n data-gateway
# Novi certifikat aktivan? echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \ openssl x509 -noout -subject -dates # Health Check curl https://gateway.example.com/health # Potpuni SSL test openssl s_client -connect gateway.example.com:443 -servername gateway.example.com
# Backup vratiti sudo cp /opt/data-gateway/certs/gateway.pfx.bak.20241215 /opt/data-gateway/certs/gateway.pfx # Gateway ponovno pokrenuti sudo systemctl restart data-gateway # Verificirati curl https://gateway.example.com/health
| # | Provjera | Da/Ne |
| — | ———– | — |
| 1 | Stari certifikat sacuvan | - |
| 2 | Novi certifikat valjan | - |
| 3 | Hostname se podudaraju | - |
| 4 | Certifikat instaliran | - |
| 5 | Gateway ponovno pokrenut | - |
| 6 | HTTPS radi | - |
| 7 | Monitoring obavijesten | - |
| Problem | Uzrok | Rjesenje |
| ——— | ——— | ——– |
Certificate mismatch | Key ne odgovara | Key ponovno generirati |
Chain incomplete | Intermediate nedostaje | Chain-datoteku dodati |
Permission denied | Pogresna prava | chmod 600 |
| Gateway se ne pokrece | Pogresna lozinka | appsettings.json provjeriti |
Prometheus Alert za istek certifikata:
- alert: GatewayCertExpiringSoon expr: | (probe_ssl_earliest_cert_expiry{job="gateway-tls"} - time()) / 86400 < 14 for: 1h labels: severity: warning annotations: summary: "Gateway certifikat uskoro istjece" description: "Certifikat istjece za {{ $value | humanize }} dana."
« <- TLS postavljanje | -> Firewall pravila »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional