search

debops / ansible-pki

Bootstrap and manage internal PKI, Certificate Authorities and OpenSSL/GnuTLS certificates
GNU General Public License v3.0
65 stars 29 forks source link

pki role generates invalid certificate with "permitted subtree violation" #129

Open rochecompaan opened 4 years ago

rochecompaan commented 4 years ago

I'm trying to generate a Let's Encrypt certificate for a domain but I'm not having any luck.

I consulted the numerous other issues related to the pki role but I couldn't find a clear answer. I should note that the certificate is for a domain different to that of the host's domain.

I have the following pki config in ansible/inventory/host_vars/flowww/pki.yml:

---
pki_realms:
    - name: 'staging.mycity.co.za'
      acme: True
      acme_domains: []
      acme_default_subdomains: []
      acme_ca: 'le-staging-v2'

I get the following error:

fatal: [flowww -> localhost]: FAILED! => changed=false
  cmd:
  - ./lib/pki-authority
  - sign-by-host
  - flowww.upfronthosting.co.za
  delta: '0:00:00.175256'
  end: '2020-05-26 14:33:43.809087'
  msg: non-zero return code
  rc: 2
  start: '2020-05-26 14:33:43.633831'
  stderr: |-
    pki-authority: Error: failed to run verify -CAfile issuer/subject/cert.pem -untrusted subject/cert.pem /home/roche/debops/servers/ansible/secret/pki/realms/by-host/flowww.upfronthosting.co.za/staging.mycity.co.za/internal/cert.pem (Exitcode: 2)

    Details:
    CN = staging.mycity.co.za
    error 47 at 0 depth lookup: permitted subtree violation
    error /home/roche/debops/servers/ansible/secret/pki/realms/by-host/flowww.upfronthosting.co.za/staging.mycity.co.za/internal/cert.pem: verification failed
  stderr_lines: <omitted>
  stdout: ''

This is the output of openssl x509 -in /home ansible/secret/pki/realms/by-host/flowww.upfronthosting.co.za/staging.mycity.co.za/internal/cert.pem -text -noout:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            19:e5:ce:27:e5:0a:22:61:bb:38:07:0d:fa:78:21:64
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Upfronthosting, OU = Domain CA
        Validity
            Not Before: May 26 12:26:43 2020 GMT
            Not After : May 26 12:26:43 2023 GMT
        Subject: CN = staging.mycity.co.za
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c6:60:82:86:bb:10:7f:90:f7:1e:94:9a:6e:c8:
                    4f:90:76:d1:35:84:ae:e4:ba:d3:b4:51:b1:c0:51:
                    cf:50:ca:16:95:51:69:79:1f:dd:aa:6e:8d:96:0f:
                    ac:47:9b:25:cd:9d:d7:a8:85:e3:cb:ae:87:16:19:
                    54:a8:ff:73:5f:d9:a4:a5:6d:09:4f:3e:4e:2c:b4:
                    d3:15:51:c3:61:99:a9:b1:fc:43:17:d9:bc:de:b7:
                    b7:51:ab:56:a6:6a:e6:1c:bc:b7:a0:89:6f:e8:55:
                    bc:64:c5:af:21:8f:53:49:c3:90:a1:63:37:51:ed:
                    e1:1b:ab:b4:ae:af:9b:a4:50:af:c0:cb:9d:8c:e3:
                    4e:43:c5:ea:02:8f:ea:ae:61:70:fe:c7:6a:62:ac:
                    8f:f7:c6:20:c1:2c:a9:af:00:e2:8f:2e:c2:aa:2b:
                    82:70:82:d7:f9:8e:71:68:a5:eb:65:1e:74:e5:3a:
                    60:7c:39:b7:6e:af:11:fc:1e:fa:86:9a:d1:fd:b0:
                    35:78:24:a7:53:07:38:fc:d2:d9:62:35:5f:f5:8c:
                    ad:6a:8f:c3:61:02:79:4b:70:53:66:50:2d:0a:57:
                    85:6a:b8:72:3d:6a:a7:c6:39:f4:58:94:6a:95:00:
                    90:d6:72:ba:19:ba:4c:8d:f5:64:c0:aa:a1:c8:6c:
                    36:e3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access:
                CA Issuers - URI:http://domain-ca.upfronthosting.co.za/crt/
                OCSP - URI:http://domain-ca.upfronthosting.co.za/ocsp/

            X509v3 Authority Key Identifier:
                keyid:36:22:C6:14:D7:FD:BF:7A:D9:07:81:0B:BF:1E:2F:22:92:1C:E7:CB
                DirName:/O=Upfronthosting Certificate Authority
                serial:76:33:37:78:69:9E:1D:18:A8:50:89:C7:5B:E0:2D:2D

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://domain-ca.upfronthosting.co.za/crl/

            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                C1:DF:47:9E:1F:C3:53:88:3D:CE:C5:14:9E:AC:36:9B:F4:48:95:9A
            X509v3 Subject Alternative Name:
                DNS:staging.mycity.co.za, DNS:*.staging.mycity.co.za
    Signature Algorithm: sha256WithRSAEncryption
         06:f9:d8:88:2d:54:c5:49:f1:93:61:ed:a3:64:07:a0:94:02:
         f4:72:a6:f0:90:e8:b9:74:9a:8d:ab:87:34:e0:9e:64:f7:57:
         fe:b0:71:48:62:37:f9:5c:e4:f3:bd:86:22:96:f8:01:33:21:
         fc:53:d0:b1:36:d0:39:2b:8d:48:20:22:59:64:bb:37:89:40:
         52:4a:df:91:2f:4b:fa:d3:f9:88:c3:a9:67:11:cd:d9:da:84:
         d9:ed:e0:7b:90:c2:70:6c:b2:e4:18:e2:bd:59:9b:23:0d:99:
         4a:c9:67:6d:f6:27:88:69:ee:53:42:f8:34:dc:fa:01:19:6c:
         38:e3:d6:25:6a:93:c3:1b:bf:a8:d5:13:a8:78:0c:6a:2a:76:
         c1:be:f7:34:be:7c:8c:49:53:38:36:9d:54:e7:05:ba:df:9f:
         a3:1c:5c:cc:62:8a:c3:ff:d8:94:a0:11:70:1f:93:e3:63:4d:
         09:56:d8:b0:7f:1c:21:90:a6:e1:3c:e1:a4:0e:37:86:66:1f:
         03:e0:92:2d:21:0c:07:9c:77:11:a3:9f:a1:36:bd:3f:be:f0:
         ac:dd:fb:91:ac:64:e0:c1:e7:fb:70:78:d6:c6:39:fb:c6:c7:
         d6:c7:9e:8c:91:f3:06:6f:5b:c2:54:ef:a1:9b:fc:34:95:27:
         db:fe:de:ea:cd:ea:b3:17:b5:48:0f:01:97:c1:92:bc:44:0e:
         65:6c:79:46:56:18:0f:8f:57:98:16:9d:ea:49:6f:5e:f2:13:
         aa:08:9f:f7:33:1c:23:63:bf:be:23:6a:39:36:3c:c0:fe:f4:
         72:d8:97:64:a5:57:69:90:46:97:8e:18:7f:d3:73:82:37:2b:
         00:80:dd:bb:39:8f:dc:97:4a:26:4f:dd:51:10:86:bb:de:e9:
         45:c3:eb:e5:9e:af:45:5d:03:d5:9c:df:17:be:03:c7:d9:26:
         77:d8:51:0b:9f:21:28:08:a3:59:45:60:d6:a8:b5:f3:30:83:
         1c:55:24:7c:5b:c1:5d:37:ac:e5:1b:e9:c9:2c:25:a6:2c:bb:
         bc:66:36:f5:89:0c:f1:83:4a:33:65:69:a2:05:13:19:44:f4:
         d4:f7:dc:63:c5:e1:0a:78:cc:bc:fa:86:a9:36:33:dd:5f:bd:
         69:77:15:b6:4a:41:2d:7f:85:a3:30:4f:bc:01:10:50:30:3c:
         6c:3f:64:d5:ea:ea:15:ca:3f:e0:01:66:85:fb:3c:7a:29:cc:
         f0:b5:1b:cc:3e:47:e4:f9:ac:0e:bb:5a:ac:2e:86:b7:7f:a6:
         17:47:35:d1:aa:99:57:20:b6:99:d8:af:f1:66:20:25:84:87:
         c5:71:5b:fc:52:d8:bc:b2

I would appreciate any help.