-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failure on task: Sign certificate requests for current hosts #121
Comments
The "permitted subtree violation" error most likely means that you tried to request a certificate to a domain which was outside of the scope of permitted domains for the internal CA. The default internal CA generated by DebOps is not allowed to sign domains other than the ones specified in the CA certificate, controlled by the If that's the case, I would try removing the existing CA from the Ansible Controller's |
You were right, it was an issue with All I needed to do to keep |
Hint for the noobs (as I am one): Create a file called pki.yml in project_directory/ansible/inventory/group_vars/all with the content pki_ca_domain: "your.domain.com" Delete the pki directory under secret/ and re-run debops. |
debops: 0.5.0
debops.pki: v0.2.14-50-gb98db7f
Running debops for a new host, using all defaults for pki
I don't get the error the first time but it happens on every subsequent run. If I remove the
internal/gnutls.conf
andinternal/request.pem
files as suggested at the bottom of this page in the docs:https://docs.debops.org/en/latest/ansible/roles/ansible-pki/docs/internal-ca.html
then it runs fine.Is there minimal configuration recommended or required to get this task to succeed so I don't have to delete these files before each run? Still trying to wrap my head around other roles before I deal with pki.
The text was updated successfully, but these errors were encountered: