search

debops / ansible-pki

Bootstrap and manage internal PKI, Certificate Authorities and OpenSSL/GnuTLS certificates
GNU General Public License v3.0
65 stars 29 forks source link

certtool failure not reported #74

Closed thoemy closed 8 years ago

thoemy commented 8 years ago

pki-realm may fail to generate a request.pem when the gnutls.conf file is invalid. In my case it complains about an unknown uri option.

$ certtool --generate-request --template gnutls.conf --load-privkey ../private/key.pem --outfile request.pem.tmp
error parsing command line: gnutls.conf: unknown option 'uri' at position 480 in config file
$ echo $?
11

The failure is not visible in the ansible output and one wonders why the realm is not correctly setup.

pki_realms:
  - name: 'myrealm'
    authority: 'service'
    internal: True
    subject_alt_names:
      - 'ip:{{ ansible_default_ipv4.address }}'
      - 'uri:https://{{ ansible_domain }}/'
      - 'dns:*.{{ ansible_domain }}'
      - 'dns:{{ ansible_domain }}'

Removing the uri from the above realm configuration makes things work.

This happened with an older Debian wheezy system.

$ certtool --version
certtool (GnuTLS) 2.12.20
Packaged by Debian (2.12.20-8+deb7u5)

$ apt-cache policy gnutls-bin 
gnutls-bin:
  Installed: 3.0.22-3+really2.12.20-8+deb7u5
  Candidate: 3.0.22-3+really2.12.20-8+deb7u5
  Version table:
 *** 3.0.22-3+really2.12.20-8+deb7u5 0
        500 http://cdn.debian.net/debian/ wheezy/main amd64 Packages
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status

So the error from the certtool output should probably shown to the user and the task aborted.

drybjed commented 8 years ago

Thanks for the bug report! Making sure that any errors are visible in the pki-realm output is definitely a good idea.

Does the error mean that the Wheezy certtool does not support the uri SAN option, or is it named differently, or SANs are not supported at all in this version? The gnutls.conf template should be updated to take these possibilities into account. Can you check to see which one of these is the reason of the error?

thoemy commented 8 years ago

From https://www.gnutls.org/abi-tracker/changelog/gnutls/3.4.4/log.html:

* Version 3.0.20 (released 2012-06-05)
...
** certtool: Added support for the URI subject alternative name type in certtool.
....

So the version in Debian wheezy does not support the uri SAN option. All other options are supported.

drybjed commented 8 years ago

@thoemy Great, thank you. I'll try and update the script shortly so that it won't add the uri SANs if the gnutls version is too old.