Closed scosist closed 6 years ago
The "permitted subtree violation" error most likely means that you tried to request a certificate to a domain which was outside of the scope of permitted domains for the internal CA. The default internal CA generated by DebOps is not allowed to sign domains other than the ones specified in the CA certificate, controlled by the item.name_constraints
parameter. You can read more about it in https://github.com/debops/ansible-pki/pull/105 where this was introduced.
If that's the case, I would try removing the existing CA from the Ansible Controller's secret/pki/
directory, and creating them from scratch, with nameConstraints
extension disabled. That should probably do the trick.
You were right, it was an issue with nameConstraints
. Instead of disabling it altogether I took a look at the original authority config in secret/pki/
. It turns out it was failing because the 'domain' it picked up was the ansible hostname.
pki_ca_domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'
All I needed to do to keep nameConstraints
error free (after removing the existing CA from the controller and those two files from the client) was make sure ansible_domain
was getting populated or pki_ca_domain
was set to my preferred domain before creating PKI authorities.
Hint for the noobs (as I am one):
Create a file called pki.yml in project_directory/ansible/inventory/group_vars/all with the content
pki_ca_domain: "your.domain.com"
Delete the pki directory under secret/ and re-run debops.
debops: 0.5.0 debops.pki: v0.2.14-50-gb98db7f
Running debops for a new host, using all defaults for pki
I don't get the error the first time but it happens on every subsequent run. If I remove the
internal/gnutls.conf
andinternal/request.pem
files as suggested at the bottom of this page in the docs:https://docs.debops.org/en/latest/ansible/roles/ansible-pki/docs/internal-ca.html
then it runs fine.Is there minimal configuration recommended or required to get this task to succeed so I don't have to delete these files before each run? Still trying to wrap my head around other roles before I deal with pki.