Inhaltsverzeichnis
Runbook: Renew Certificate
Duration: ~10 minutes
Role: Security Admin
Frequency: Every 90 days (Let's Encrypt) or annually
Renewal of TLS certificate for the Data Gateway.
Workflow
flowchart TD
A[Expiry warning] --> B{Certificate type?}
B -->|Let's Encrypt| C[certbot renew]
B -->|Internal CA| D[Request new certificate]
B -->|Commercial| E[Renew at provider]
C --> F[Replace certificate]
D --> F
E --> F
F --> G[Restart Gateway]
G --> H[Test HTTPS]
H --> I{OK?}
I -->|Yes| J[Done]
I -->|No| K[Restore old certificate]
style J fill:#e8f5e9
style K fill:#ffebee
1. Check Expiry
# Check current certificate openssl s_client -connect gateway.example.com:443 -servername gateway.example.com 2>/dev/null | \ openssl x509 -noout -dates # Days until expiry echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \ openssl x509 -noout -enddate | \ cut -d= -f2 | \ xargs -I {} bash -c 'echo "Days until expiry: $(( ($(date -d "{}" +%s) - $(date +%s)) / 86400 ))"'
2a. Renew Let's Encrypt
# Automatic (if certbot correctly configured) sudo certbot renew # With pre/post hook for Gateway sudo certbot renew \ --pre-hook "systemctl stop data-gateway" \ --post-hook "systemctl start data-gateway" # Dry run (without actual renewal) sudo certbot renew --dry-run
Automation via cron:
# /etc/cron.d/certbot-gateway 0 3 * * * root certbot renew --quiet --post-hook "systemctl reload data-gateway"
2b. Renew Internal CA
# Create CSR openssl req -new -key gateway.key -out gateway.csr \ -subj "/CN=gateway.example.com/O=Example Corp" # Send CSR to CA (e.g., via PQ Crypto) # -> New certificate: gateway-new.crt
See: PQ Crypto: Renew Certificate
2c. Commercial Certificate
1. Log in at provider (DigiCert, GlobalSign, etc.) 2. Request renewal 3. Upload CSR or generate new 4. Complete validation 5. Download new certificate
3. Backup Old Certificate
# Create backup cp /opt/data-gateway/certs/gateway.pfx /opt/data-gateway/certs/gateway.pfx.bak.$(date +%Y%m%d) # Or for PEM cp /opt/data-gateway/certs/cert.pem /opt/data-gateway/certs/cert.pem.bak.$(date +%Y%m%d)
4. Install New Certificate
# PEM format sudo cp new-cert.pem /opt/data-gateway/certs/cert.pem sudo cp new-key.pem /opt/data-gateway/certs/key.pem sudo chmod 600 /opt/data-gateway/certs/*.pem # PFX format sudo cp new-gateway.pfx /opt/data-gateway/certs/gateway.pfx sudo chmod 600 /opt/data-gateway/certs/gateway.pfx
5. Restart Gateway
# Linux sudo systemctl restart data-gateway # Windows Restart-Service -Name "DataGateway" # Docker docker restart gateway # Kubernetes (Rolling Update) kubectl rollout restart deployment/data-gateway -n data-gateway
6. Verify
# New certificate active? echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \ openssl x509 -noout -subject -dates # Health Check curl https://gateway.example.com/health # Full SSL test openssl s_client -connect gateway.example.com:443 -servername gateway.example.com
7. Rollback (if needed)
# Restore backup sudo cp /opt/data-gateway/certs/gateway.pfx.bak.20241215 /opt/data-gateway/certs/gateway.pfx # Restart Gateway sudo systemctl restart data-gateway # Verify curl https://gateway.example.com/health
8. Checklist
| # | Check | Done |
| — | ——- | —— |
| 1 | Old certificate backed up | [ ] |
| 2 | New certificate valid | [ ] |
| 3 | Hostnames match | [ ] |
| 4 | Certificate installed | [ ] |
| 5 | Gateway restarted | [ ] |
| 6 | HTTPS working | [ ] |
| 7 | Monitoring notified | [ ] |
Troubleshooting
| Problem | Cause | Solution |
| ——— | ——- | ———- |
Certificate mismatch | Key doesn't match | Regenerate key |
Chain incomplete | Intermediate missing | Add chain file |
Permission denied | Wrong permissions | chmod 600 |
| Gateway won't start | Wrong password | Check appsettings.json |
Automatic Monitoring
Prometheus alert for certificate expiry:
- alert: GatewayCertExpiringSoon expr: | (probe_ssl_earliest_cert_expiry{job="gateway-tls"} - time()) / 86400 < 14 for: 1h labels: severity: warning annotations: summary: "Gateway certificate expiring soon" description: "Certificate expires in {{ $value | humanize }} days."
Related Runbooks
- Set Up TLS - Initial configuration
- Alerting - Expiry monitoring
« <- Set Up TLS | -> Firewall Rules »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional
Zuletzt geändert: on 2026/01/30 at 08:46 AM
