Update default nameConstraints to allow subdomains

'permitted;DNS:${config_domain}' only allows names which exactly match ${config_domain}. 'permitted;DNS:.${config_domain}' (notice the extra ".") only allows expanded labels, but not ${config_domain} itself. Let's have the best of both worlds by combining the two name constraints together, which allows both ${config_domain} and expanded labels. OpenSSL throws `error 47 at 0 depth lookup: permitted subtree violation; error hcert.pem: verification failed` when using this role with critical nameConstraints. That's why I removed the 'critical' property. This might be better for backwards compatibility as well. Modern software will still refuse to accept the certificate when the name is outside the nameConstraints space. For example, Mozilla Firefox 60.6.1esr-1~deb9u1 will fail to connect with 'SEC_ERROR_CERT_NOT_IN_NAME_SPACE', and curl 7.52.1-5+deb9u9 fails with '(60) SSL certificate problem: permitted subtree violation'.
debops · Mar 27, 2019 · 8bb7858 · 8bb7858
1 parent 2050c66
commit 8bb7858
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/ansible/roles/debops.pki/files/secret/pki/lib/pki-authority b/ansible/roles/debops.pki/files/secret/pki/lib/pki-authority
@@ -138,7 +138,7 @@ get_openssl_name_constraints_directive () {
     local name_constraints
     case "${config['name_constraints']}" in
         true|True)
-            name_constraints="nameConstraints         = critical, permitted;DNS:${config_domain}"
+            name_constraints="nameConstraints         = permitted;DNS:${config_domain},permitted;DNS:.${config_domain}"
             ;;
         false|False)
             name_constraints=""