Runbook: Obnova certifikata

Obnova TLS-certifikata za Data Gateway.

# Preveri trenutni certifikat
openssl s_client -connect gateway.example.com:443 -servername gateway.example.com 2>/dev/null | \
    openssl x509 -noout -dates
 
# Dni do poteka
echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \
    openssl x509 -noout -enddate | \
    cut -d= -f2 | \
    xargs -I {} bash -c 'echo "Dni do poteka: $(( ($(date -d "{}" +%s) - $(date +%s)) / 86400 ))"'

# Samodejno (če je certbot pravilno nastavljen)
sudo certbot renew
 
# S Pre/Post-Hook za Gateway
sudo certbot renew \
    --pre-hook "systemctl stop data-gateway" \
    --post-hook "systemctl start data-gateway"
 
# Suh tek (brez dejanske obnove)
sudo certbot renew --dry-run

Avtomatizacija prek Cron:

# /etc/cron.d/certbot-gateway
0 3 * * * root certbot renew --quiet --post-hook "systemctl reload data-gateway"

# Ustvari CSR
openssl req -new -key gateway.key -out gateway.csr \
    -subj "/CN=gateway.example.com/O=Example Corp"
 
# Pošlji CSR CA-ju (npr. prek PQ Crypto)
# -> Nov certifikat: gateway-new.crt

Glej: PQ Crypto: Obnova certifikata

1. Prijava pri ponudniku (DigiCert, GlobalSign itd.) 2. Zahteva za obnovo 3. Nalaganje CSR ali generiranje novega 4. Izvedba validacije 5. Prenos novega certifikata

# Ustvari varnostno kopijo
cp /opt/data-gateway/certs/gateway.pfx /opt/data-gateway/certs/gateway.pfx.bak.$(date +%Y%m%d)
 
# Ali za PEM
cp /opt/data-gateway/certs/cert.pem /opt/data-gateway/certs/cert.pem.bak.$(date +%Y%m%d)

# Format PEM
sudo cp new-cert.pem /opt/data-gateway/certs/cert.pem
sudo cp new-key.pem /opt/data-gateway/certs/key.pem
sudo chmod 600 /opt/data-gateway/certs/*.pem
 
# Format PFX
sudo cp new-gateway.pfx /opt/data-gateway/certs/gateway.pfx
sudo chmod 600 /opt/data-gateway/certs/gateway.pfx

# Linux
sudo systemctl restart data-gateway
 
# Windows
Restart-Service -Name "DataGateway"
 
# Docker
docker restart gateway
 
# Kubernetes (Rolling Update)
kubectl rollout restart deployment/data-gateway -n data-gateway

# Je nov certifikat aktiven?
echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \
    openssl x509 -noout -subject -dates
 
# Health Check
curl https://gateway.example.com/health
 
# Popoln SSL-test
openssl s_client -connect gateway.example.com:443 -servername gateway.example.com

# Obnovi varnostno kopijo
sudo cp /opt/data-gateway/certs/gateway.pfx.bak.20241215 /opt/data-gateway/certs/gateway.pfx
 
# Ponovno zaženi Gateway
sudo systemctl restart data-gateway
 
# Preveri
curl https://gateway.example.com/health

Prometheus opozorilo za potek certifikata:

- alert: GatewayCertExpiringSoon
  expr: |
    (probe_ssl_earliest_cert_expiry{job="gateway-tls"} - time()) / 86400 < 14
  for: 1h
  labels:
    severity: warning
  annotations:
    summary: "Gateway-certifikat kmalu poteče"
    description: "Certifikat poteče čez {{ $value | humanize }} dni."

• Nastavitev TLS - Prvotna konfiguracija
• Opozarjanje - Nadzor poteka
• PQ Crypto: Obnova certifikata

« <- Nastavitev TLS | -> Pravila požarnega zidu »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional