Failure on task: Sign certificate requests for current hosts

[scosist]

debops: 0.5.0
debops.pki: v0.2.14-50-gb98db7f

Running debops for a new host, using all defaults for pki

TASK [debops.pki : Sign certificate requests for current hosts] ****************
fatal: [my-host -> localhost]: FAILED! => 
{
  "changed": false,
  "cmd": [
    "./lib/pki-authority",
    "sign-by-host",
    "my-host.fqdn"
  ],
  "delta": "0:00:00.079191",
  "end": "2017-11-02 07:50:07.169723",
  "failed": true,
  "msg": "non-zero return code",
  "rc": 2,
  "start": "2017-11-02 07:50:07.090532",
  "stderr": "pki-authority: Error: failed to run verify -CAfile issuer/subject/cert.pem -untrusted subject/cert.pem /home/myuser/fivepointoh/ansible/secret/pki/realms/by-host/my-host.fqdn/domain/internal/cert.pem (Exitcode: 2)\n\nDetails:\n/home/myuser/fivepointoh/ansible/secret/pki/realms/by-host/my-host.fqdn/domain/internal/cert.pem: CN = my-host.fqdn\nerror 47 at 0 depth lookup:permitted subtree violation",
  "stderr_lines": [
    "pki-authority: Error: failed to run verify -CAfile issuer/subject/cert.pem -untrusted subject/cert.pem /home/myuser/fivepointoh/ansible/secret/pki/realms/by-host/my-host.fqdn/domain/internal/cert.pem (Exitcode: 2)",
    "",
    "Details:",
    "/home/myuser/fivepointoh/ansible/secret/pki/realms/by-host/my-host.fqdn/domain/internal/cert.pem: CN = my-host.fqdn",
    "error 47 at 0 depth lookup:permitted subtree violation"
  ],
  "stdout": "",
  "stdout_lines": []
}

I don't get the error the first time but it happens on every subsequent run. If I remove the internal/gnutls.conf and internal/request.pem files as suggested at the bottom of this page in the docs: https://docs.debops.org/en/latest/ansible/roles/ansible-pki/docs/internal-ca.html then it runs fine.

Is there minimal configuration recommended or required to get this task to succeed so I don't have to delete these files before each run? Still trying to wrap my head around other roles before I deal with pki.

[drybjed]

The "permitted subtree violation" error most likely means that you tried to request a certificate to a domain which was outside of the scope of permitted domains for the internal CA. The default internal CA generated by DebOps is not allowed to sign domains other than the ones specified in the CA certificate, controlled by the item.name_constraints parameter. You can read more about it in #105 where this was introduced.

If that's the case, I would try removing the existing CA from the Ansible Controller's secret/pki/ directory, and creating them from scratch, with nameConstraints extension disabled. That should probably do the trick.

[scosist]

You were right, it was an issue with nameConstraints. Instead of disabling it altogether I took a look at the original authority config in secret/pki/. It turns out it was failing because the 'domain' it picked up was the ansible hostname.
pki_ca_domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'

All I needed to do to keep nameConstraints error free (after removing the existing CA from the controller and those two files from the client) was make sure ansible_domain was getting populated or pki_ca_domain was set to my preferred domain before creating PKI authorities.

[romor001]

Hint for the noobs (as I am one):

Create a file called pki.yml in project_directory/ansible/inventory/group_vars/all with the content

---

pki_ca_domain: "your.domain.com"

Delete the pki directory under secret/ and re-run debops.