mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
63a1b97db7fb20064bdcaa135ca231e911e4b1b3
meldestelle/config/ssl/README.md
T
stefan e7b18da45d refactor: Migrate from monolithic to modular architecture 
1. **Docker-Compose für Entwicklung optimieren**
2. **Umgebungsvariablen für lokale Entwicklung**
3. **Service-Abhängigkeiten**
4. **Docker-Compose für Produktion**
5. **Dokumentation**
2025-07-24 14:20:48 +02:00

221 lines
6.5 KiB
Markdown
Raw Blame History

# SSL/TLS Certificate Setup for Production
This directory contains SSL/TLS certificates and keys for securing the Meldestelle application in production.
## Directory Structure
```
config/ssl/
├── postgres/ # PostgreSQL SSL certificates
├── redis/ # Redis TLS certificates
├── keycloak/ # Keycloak HTTPS certificates
├── prometheus/ # Prometheus HTTPS certificates
├── grafana/ # Grafana HTTPS certificates
├── nginx/ # Nginx SSL certificates
└── README.md # This file
```
## Certificate Requirements
### 1. PostgreSQL SSL Certificates
Place the following files in `config/ssl/postgres/`:
- `server.crt` - Server certificate
- `server.key` - Server private key
- `ca.crt` - Certificate Authority certificate
### 2. Redis TLS Certificates
Place the following files in `config/ssl/redis/`:
- `redis.crt` - Redis server certificate
- `redis.key` - Redis server private key
- `ca.crt` - Certificate Authority certificate
- `redis.dh` - Diffie-Hellman parameters
### 3. Keycloak HTTPS Certificates
Place the following files in `config/ssl/keycloak/`:
- `server.crt.pem` - Server certificate in PEM format
- `server.key.pem` - Server private key in PEM format
### 4. Prometheus HTTPS Certificates
Place the following files in `config/ssl/prometheus/`:
- `prometheus.crt` - Prometheus server certificate
- `prometheus.key` - Prometheus server private key
- `web.yml` - Prometheus web configuration file
### 5. Grafana HTTPS Certificates
Place the following files in `config/ssl/grafana/`:
- `server.crt` - Grafana server certificate
- `server.key` - Grafana server private key
### 6. Nginx SSL Certificates
Place the following files in `config/ssl/nginx/`:
- `server.crt` - Main SSL certificate
- `server.key` - Main SSL private key
- `dhparam.pem` - Diffie-Hellman parameters
## Generating Self-Signed Certificates (Development/Testing)
⚠️ **Warning**: Only use self-signed certificates for development and testing. Use proper CA-signed certificates in production.
### Generate CA Certificate
```bash
# Create CA private key
openssl genrsa -out ca.key 4096
# Create CA certificate
openssl req -new -x509 -days 365 -key ca.key -out ca.crt \
-subj "/C=AT/ST=Vienna/L=Vienna/O=Meldestelle/OU=IT/CN=Meldestelle-CA"
```
### Generate Server Certificates
```bash
# For each service, generate private key and certificate signing request
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr \
-subj "/C=AT/ST=Vienna/L=Vienna/O=Meldestelle/OU=IT/CN=your-domain.com"
# Sign the certificate with CA
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt
# Clean up
rm server.csr
```
### Generate Diffie-Hellman Parameters
```bash
openssl dhparam -out dhparam.pem 2048
```
## Production Certificate Setup
### Option 1: Let's Encrypt (Recommended)
Use Certbot to obtain free SSL certificates:
```bash
# Install certbot
sudo apt-get install certbot
# Obtain certificates
sudo certbot certonly --standalone -d your-domain.com -d www.your-domain.com
# Copy certificates to appropriate directories
sudo cp /etc/letsencrypt/live/your-domain.com/fullchain.pem config/ssl/nginx/server.crt
sudo cp /etc/letsencrypt/live/your-domain.com/privkey.pem config/ssl/nginx/server.key
```
### Option 2: Commercial CA
1. Generate Certificate Signing Requests (CSRs)
2. Submit CSRs to your Certificate Authority
3. Download signed certificates
4. Place certificates in appropriate directories
### Option 3: Internal CA
If using an internal Certificate Authority:
1. Generate CSRs for each service
2. Sign certificates with your internal CA
3. Distribute CA certificate to all clients
## File Permissions
Ensure proper file permissions for security:
```bash
# Set restrictive permissions on private keys
chmod 600 config/ssl/*/server.key
chmod 600 config/ssl/*/redis.key
chmod 600 config/ssl/*/prometheus.key
# Set readable permissions on certificates
chmod 644 config/ssl/*/server.crt
chmod 644 config/ssl/*/ca.crt
# Set directory permissions
chmod 755 config/ssl/*/
```
## Docker Volume Mounts
The certificates are mounted as read-only volumes in the Docker containers:
```yaml
volumes:
- ./config/ssl/nginx:/etc/ssl/nginx:ro
- ./config/ssl/keycloak:/opt/keycloak/conf:ro
# ... other mounts
```
## Certificate Renewal
### Automated Renewal (Let's Encrypt)
Set up a cron job for automatic renewal:
```bash
# Add to crontab
0 12 * * * /usr/bin/certbot renew --quiet --post-hook "docker-compose -f docker-compose.prod.yml restart nginx"
```
### Manual Renewal
1. Generate new certificates
2. Replace old certificates in SSL directories
3. Restart affected services:
```bash
docker-compose -f docker-compose.prod.yml restart nginx keycloak grafana prometheus
```
## Security Best Practices
1. **Use Strong Encryption**: Use at least 2048-bit RSA keys or 256-bit ECDSA keys
2. **Regular Rotation**: Rotate certificates regularly (annually or bi-annually)
3. **Secure Storage**: Store private keys securely and limit access
4. **Monitor Expiration**: Set up monitoring for certificate expiration
5. **Use HSTS**: Enable HTTP Strict Transport Security
6. **Perfect Forward Secrecy**: Use ECDHE cipher suites
7. **Certificate Transparency**: Monitor CT logs for unauthorized certificates
## Troubleshooting
### Common Issues
1. **Permission Denied**
```bash
# Fix file permissions
sudo chown -R $USER:$USER config/ssl/
chmod -R 755 config/ssl/
chmod 600 config/ssl/*/server.key
```
2. **Certificate Verification Failed**
```bash
# Verify certificate
openssl x509 -in config/ssl/nginx/server.crt -text -noout
# Check certificate chain
openssl verify -CAfile config/ssl/nginx/ca.crt config/ssl/nginx/server.crt
```
3. **TLS Handshake Errors**
- Check certificate validity dates
- Verify certificate matches hostname
- Ensure proper cipher suite configuration
### Testing SSL Configuration
```bash
# Test SSL certificate
openssl s_client -connect your-domain.com:443 -servername your-domain.com
# Test with specific protocol
openssl s_client -connect your-domain.com:443 -tls1_2
# Check certificate expiration
openssl x509 -in config/ssl/nginx/server.crt -noout -dates
```
## Support
For certificate-related issues:
1. Check service logs: `docker-compose -f docker-compose.prod.yml logs [service-name]`
2. Verify certificate files exist and have correct permissions
3. Test SSL configuration with OpenSSL tools
4. Consult service-specific SSL documentation
Reference in New Issue View Git Blame Copy Permalink