Failure on task: Sign certificate requests for current hosts about ansible-pki HOT 3 CLOSED

The "permitted subtree violation" error most likely means that you tried to request a certificate to a domain which was outside of the scope of permitted domains for the internal CA. The default internal CA generated by DebOps is not allowed to sign domains other than the ones specified in the CA certificate, controlled by the item.name_constraints parameter. You can read more about it in #105 where this was introduced.

If that's the case, I would try removing the existing CA from the Ansible Controller's secret/pki/ directory, and creating them from scratch, with nameConstraints extension disabled. That should probably do the trick.

from ansible-pki.

You were right, it was an issue with nameConstraints. Instead of disabling it altogether I took a look at the original authority config in secret/pki/. It turns out it was failing because the 'domain' it picked up was the ansible hostname.
pki_ca_domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'

All I needed to do to keep nameConstraints error free (after removing the existing CA from the controller and those two files from the client) was make sure ansible_domain was getting populated or pki_ca_domain was set to my preferred domain before creating PKI authorities.

from ansible-pki.

Hint for the noobs (as I am one):

Create a file called pki.yml in project_directory/ansible/inventory/group_vars/all with the content

pki_ca_domain: "your.domain.com"

Delete the pki directory under secret/ and re-run debops.

from ansible-pki.