search

debops / ansible-pki

Bootstrap and manage internal PKI, Certificate Authorities and OpenSSL/GnuTLS certificates
GNU General Public License v3.0
65 stars 29 forks source link

No wildcard/domain in the 'domain' realm certificates #128

Closed mikenowak closed 5 years ago

mikenowak commented 5 years ago

Looking at the domain certificates generated by this role

        Subject: CN = host1.internal.example.jp
...
            X509v3 Subject Alternative Name: 
                DNS:internal.example.jp, DNS:*.host1.internal.example.jp, 
                DNS:host1.internal.example.jp, DNS:*.internal.example.jp

I have already found that setting pki_default_realms to the below removes the *.host1.internal.example.jp and *.internal.example.jp, from SAN but I currently can't figure if there is a way to remove just the internal.example.jp

pki_default_realms:
  - name: 'domain'
    acme: False
    default_subdomains:
      - '{{ ansible_hostname }}'

So what I am looking for is this:

        Subject: CN = host1.internal.example.jp
...
            X509v3 Subject Alternative Name: 
                DNS:host1.internal.example.jp

Unless of course this is there for a reason, and if so just let me know.

drybjed commented 5 years ago

You should be able to drop the wildcard with this configuration:

pki_realms:
  - name: 'host1.internal.example.jp'
    acme: False
    default_subdomains: []

This produces in my development environment:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            90:cc:e0:a7:56:9d:09:6c:1e:41:4b:94:c6:25:aa:a4
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Deb8, OU = Domain CA
        Validity
            Not Before: Sep 26 09:35:05 2018 GMT
            Not After : Sep 25 09:35:05 2021 GMT
        Subject: CN = host1.internal.example.jp
...
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier: 
                98:3E:7E:77:F3:4D:BC:9E:38:2F:24:3D:EE:AA:D5:9F:34:CC:F4:F9
            X509v3 Subject Alternative Name: 
                DNS:host1.internal.example.jp

I realize that currently debops.pki has a bit convoluted and in some places redundant configuration... The role was designed a long time ago, now DebOps has a bit better tools to handle configuration merging from multiple sources (role defaults, Ansible local facts, Ansible inventory). The debops.pki role still needs to be revamped to, for example, switch to the namespaced variables. Probably at that time the configuration will be modernized a bit.

BTW, you should switch to the DebOps monorepo if you haven't yet, the development is now done there instead of in the individual role repositories.

mikenowak commented 5 years ago

@drybjed hi,

thanks for quick response and pointing me in the right direction.

For the benefit of anyone else who may come across this the solution turns out to be as follows

pki_realms:
  - name: 'domain'
    acme: False
    default_domain: '{{ ansible_fqdn }}'
    default_subdomains: []

I am indeed using the monorepo, I just didn't realise that I was filling this issue in the wrong place.