search

debops / ansible-pki

Bootstrap and manage internal PKI, Certificate Authorities and OpenSSL/GnuTLS certificates
GNU General Public License v3.0
65 stars 29 forks source link

Error every second pki run #125

Open erikschwalbe opened 6 years ago

erikschwalbe commented 6 years ago

I think since yesterday after a debops-update the pki role failed with every second run: TASK [debops.pki : Sign certificate requests for current hosts] ** fatal: [teamcity -> localhost]: FAILED! => {"changed": false, "cmd": ["./lib/pki-authority", "sign-by-host", "teamcity.domain.com"], "delta": "0:00:00.305034", "end": "2018-03-26 09:41:34.501734", "msg": "non-zero return code", "rc": 2, "start": "2018-03-26 09:41:34.196700", "stderr": "pki-authority: Error: failed to run verify -CAfile issuer/subject/cert.pem -untrusted subject/cert.pem /home/ansible/debops/ansible/secret/pki/realms/by-host/teamcity.domain.com/domain/internal/cert.pem (Exitcode: 2)\n\nDetails:\n/home/ansible/debops/ansible/secret/pki/realms/by-host/teamcity.domain.com/domain/internal/cert.pem: CN = teamcity.domain.com\nerror 47 at 0 depth lookup:permitted subtree violation", "stderr_lines": ["pki-authority: Error: failed to run verify -CAfile issuer/subject/cert.pem -untrusted subject/cert.pem /home/ansible/debops/ansible/secret/pki/realms/by-host/teamcity.domain.com/domain/internal/cert.pem (Exitcode: 2)", "", "Details:", "/home/ansible/debops/ansible/secret/pki/realms/by-host/teamcity.domain.com/domain/internal/cert.pem: CN = teamcity.domain.com", "error 47 at 0 depth lookup:permitted subtree violation"], "stdout": "", "stdout_lines": []}

drybjed commented 6 years ago

The "permitted subtree violation" error is related to use of nameConstraints extension. Basically, you tried to sign a certificate with a domain for which your CA is not allowed to sign certificates. Especially that the domain you tried to sign is .com...

I bet that you tried to create a host with FQDN similar to example.com. DebOps uses ansible_fqdn and ansible_domain variables in many roles, and with the FQDN like the above, the ansible_domain value would end up as .com, which cannot realistically work for a X.509 certificate. You should either change the hostname to something like host.example.com, in which case Ansible will detect the domain correctly, or enforce the values by setting pki_fqdn and pki_domain variables in the Ansible inventory.

erikschwalbe commented 6 years ago

sorry, there was a copy-paste failure. I want to use a normal wildcard ssl certificate from comodo.

drybjed commented 6 years ago

I see. Still, check what domains are recognized by your internal CA and what domains you tried to sign with it:

openssl x509 -in path/to/cert.pem -text -noout
erikschwalbe commented 6 years ago

openssl x509 -in ansible/secret/pki/realms/by-group/debops_service_pki/domain/external/all.domain.com.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 18:cc:82:0a:b9:7a:52:60:45:60:e0:b5:88:93:05:f9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Validity Not Before: Mar 20 00:00:00 2018 GMT Not After : May 19 23:59:59 2019 GMT Subject: OU=Domain Control Validated, OU=EssentialSSL Wildcard, CN=*.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)

Its a commercial wildcard certificate.

drybjed commented 6 years ago

So it's an external certificate? That changes things a bit... In that case it would be best if you put these certificates in their own PKI realm, not domain. This new realm could have the internal CA disabled so that the debops.pki CA does not try to sign the certificate over and over. You can do this by adding in the inventory:

pki_realms:
  - name: 'domain.com'
    internal: False
    acme: False

Then you can point services like nginx at this new PKI realm to use the external certificate.

erikschwalbe commented 6 years ago

Ok, sorry for that missing information. debops created the new realm. Is it possible to disable the domain realm? so, that there is only the commercial certificate.

drybjed commented 6 years ago

Sure, you could set pki_default_realms: [], and pki_system_realm: 'new.realm.name'. Although I'd keep thedomain` realm for inter-cluster communication if you have more hosts.

erikschwalbe commented 6 years ago

Sorry, but another question. If debops created the folder structure ansible/secret/pki/realms/by-group/debops_service_pki/example.com whats the prefered way to include the commercial certificate or where is the right place to copy? At the moment there are 2 folders: external and private But on the destination host the default.crt does not point to my certificate.

drybjed commented 6 years ago

The PKI realm is designed around a single private key, but if you are using external cert/key pair the key generated by the realm will be invalid (debops.pki does not update the realm key automatically). Remove the PKI realm to reset it.

Put your private key, in the private/ directory of the generated directory structure. Put your certificate, intermediate and root .pem files in the external/ directory. When you run debops.pki again, the role should copy the external CA files and use them automatically.

Read the external CA documentation for more details.