Sie befinden sich hier: start » hr » Interna dokumentacija » WvdS Data-Gateway » Operatorski prirucnik » Sigurnost » Runbook: Certifikat obnoviti

Inhaltsverzeichnis

Runbook: Certifikat obnoviti

Trajanje: ~10 minuta
Uloga: Security-Admin
Ucestalost: Svakih 90 dana (Let's Encrypt) ili godisnje

Obnova TLS certifikata za Data Gateway.

Tijek rada

flowchart TD A[Upozorenje o isteku] --> B{Tip certifikata?} B -->|Let's Encrypt| C[certbot renew] B -->|Interna CA| D[Novi certifikat zatraziti] B -->|Komercijalni| E[Kod ponuditelja obnoviti] C --> F[Certifikat zamijeniti] D --> F E --> F F --> G[Gateway ponovno pokrenuti] G --> H[HTTPS testirati] H --> I{OK?} I -->|Da| J[Gotovo] I -->|Ne| K[Stari certifikat vratiti] style J fill:#e8f5e9 style K fill:#ffebee

1. Istek provjeriti

# Aktualni certifikat provjeriti
openssl s_client -connect gateway.example.com:443 -servername gateway.example.com 2>/dev/null | \
    openssl x509 -noout -dates
 
# Dana do isteka
echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \
    openssl x509 -noout -enddate | \
    cut -d= -f2 | \
    xargs -I {} bash -c 'echo "Dana do isteka: $(( ($(date -d "{}" +%s) - $(date +%s)) / 86400 ))"'

2a. Let's Encrypt obnoviti

# Automatski (ako je certbot ispravno postavljen)
sudo certbot renew
 
# S Pre/Post-Hook za Gateway
sudo certbot renew \
    --pre-hook "systemctl stop data-gateway" \
    --post-hook "systemctl start data-gateway"
 
# Probni rad (bez stvarne obnove)
sudo certbot renew --dry-run

Automatizacija preko Crona: 

# /etc/cron.d/certbot-gateway
0 3 * * * root certbot renew --quiet --post-hook "systemctl reload data-gateway"

2b. Internu CA obnoviti

# CSR kreirati
openssl req -new -key gateway.key -out gateway.csr \
    -subj "/CN=gateway.example.com/O=Example Corp"
 
# CSR poslati CA-i (npr. preko PQ Crypto)
# -> Novi certifikat: gateway-new.crt

Pogledajte: PQ Crypto: Certifikat obnoviti

2c. Komercijalni certifikat

1. Prijaviti se kod ponuditelja (DigiCert, GlobalSign, itd.) 2. Renewal zatraziti 3. CSR uploadati ili novo generirati 4. Validaciju provesti 5. Novi certifikat preuzeti

3. Backup starog certifikata

# Backup kreirati
cp /opt/data-gateway/certs/gateway.pfx /opt/data-gateway/certs/gateway.pfx.bak.$(date +%Y%m%d)
 
# Ili za PEM
cp /opt/data-gateway/certs/cert.pem /opt/data-gateway/certs/cert.pem.bak.$(date +%Y%m%d)

4. Novi certifikat instalirati

# PEM format
sudo cp new-cert.pem /opt/data-gateway/certs/cert.pem
sudo cp new-key.pem /opt/data-gateway/certs/key.pem
sudo chmod 600 /opt/data-gateway/certs/*.pem
 
# PFX format
sudo cp new-gateway.pfx /opt/data-gateway/certs/gateway.pfx
sudo chmod 600 /opt/data-gateway/certs/gateway.pfx

5. Gateway ponovno pokrenuti

# Linux
sudo systemctl restart data-gateway
 
# Windows
Restart-Service -Name "DataGateway"
 
# Docker
docker restart gateway
 
# Kubernetes (Rolling Update)
kubectl rollout restart deployment/data-gateway -n data-gateway

6. Verificirati

# Novi certifikat aktivan?
echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | \
    openssl x509 -noout -subject -dates
 
# Health Check
curl https://gateway.example.com/health
 
# Potpuni SSL test
openssl s_client -connect gateway.example.com:443 -servername gateway.example.com

7. Rollback (ako je potrebno)

# Backup vratiti
sudo cp /opt/data-gateway/certs/gateway.pfx.bak.20241215 /opt/data-gateway/certs/gateway.pfx
 
# Gateway ponovno pokrenuti
sudo systemctl restart data-gateway
 
# Verificirati
curl https://gateway.example.com/health

8. Kontrolna lista

# Provjera Da/Ne
———–
1 Stari certifikat sacuvan -
2 Novi certifikat valjan -
3 Hostname se podudaraju -
4 Certifikat instaliran -
5 Gateway ponovno pokrenut -
6 HTTPS radi -
7 Monitoring obavijesten -

Rjesavanje problema

Problem Uzrok Rjesenje
————————–
Certificate mismatch Key ne odgovara Key ponovno generirati
Chain incomplete Intermediate nedostaje Chain-datoteku dodati
Permission denied Pogresna prava chmod 600
Gateway se ne pokrece Pogresna lozinka appsettings.json provjeriti

Automatski nadzor

Prometheus Alert za istek certifikata: 

- alert: GatewayCertExpiringSoon
  expr: |
    (probe_ssl_earliest_cert_expiry{job="gateway-tls"} - time()) / 86400 < 14
  for: 1h
  labels:
    severity: warning
  annotations:
    summary: "Gateway certifikat uskoro istjece"
    description: "Certifikat istjece za {{ $value | humanize }} dana."

Povezani runbookovi

« <- TLS postavljanje | -> Firewall pravila »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional

, , , ,
Zuletzt geändert: 30.01.2026. u 08:49

Seiten-Werkzeuge