Closed mikenowak closed 5 years ago
You should be able to drop the wildcard with this configuration:
pki_realms:
- name: 'host1.internal.example.jp'
acme: False
default_subdomains: []
This produces in my development environment:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
90:cc:e0:a7:56:9d:09:6c:1e:41:4b:94:c6:25:aa:a4
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Deb8, OU = Domain CA
Validity
Not Before: Sep 26 09:35:05 2018 GMT
Not After : Sep 25 09:35:05 2021 GMT
Subject: CN = host1.internal.example.jp
...
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
98:3E:7E:77:F3:4D:BC:9E:38:2F:24:3D:EE:AA:D5:9F:34:CC:F4:F9
X509v3 Subject Alternative Name:
DNS:host1.internal.example.jp
I realize that currently debops.pki
has a bit convoluted and in some places redundant configuration... The role was designed a long time ago, now DebOps has a bit better tools to handle configuration merging from multiple sources (role defaults, Ansible local facts, Ansible inventory). The debops.pki
role still needs to be revamped to, for example, switch to the namespaced variables. Probably at that time the configuration will be modernized a bit.
BTW, you should switch to the DebOps monorepo if you haven't yet, the development is now done there instead of in the individual role repositories.
@drybjed hi,
thanks for quick response and pointing me in the right direction.
For the benefit of anyone else who may come across this the solution turns out to be as follows
pki_realms:
- name: 'domain'
acme: False
default_domain: '{{ ansible_fqdn }}'
default_subdomains: []
I am indeed using the monorepo, I just didn't realise that I was filling this issue in the wrong place.
Looking at the domain certificates generated by this role
I have already found that setting
pki_default_realms
to the below removes the*.host1.internal.example.jp
and*.internal.example.jp
, from SAN but I currently can't figure if there is a way to remove just theinternal.example.jp
So what I am looking for is this:
Unless of course this is there for a reason, and if so just let me know.