Comments (9)
The "permitted subtree violation" error is related to use of nameConstraints
extension. Basically, you tried to sign a certificate with a domain for which your CA is not allowed to sign certificates. Especially that the domain you tried to sign is .com
...
I bet that you tried to create a host with FQDN similar to example.com
. DebOps uses ansible_fqdn
and ansible_domain
variables in many roles, and with the FQDN like the above, the ansible_domain
value would end up as .com
, which cannot realistically work for a X.509 certificate. You should either change the hostname to something like host.example.com
, in which case Ansible will detect the domain correctly, or enforce the values by setting pki_fqdn
and pki_domain
variables in the Ansible inventory.
from ansible-pki.
sorry, there was a copy-paste failure.
I want to use a normal wildcard ssl certificate from comodo.
from ansible-pki.
I see. Still, check what domains are recognized by your internal CA and what domains you tried to sign with it:
openssl x509 -in path/to/cert.pem -text -noout
from ansible-pki.
openssl x509 -in ansible/secret/pki/realms/by-group/debops_service_pki/domain/external/all.domain.com.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:cc:82:0a:b9:7a:52:60:45:60:e0:b5:88:93:05:f9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Mar 20 00:00:00 2018 GMT
Not After : May 19 23:59:59 2019 GMT
Subject: OU=Domain Control Validated, OU=EssentialSSL Wildcard, CN=*.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Its a commercial wildcard certificate.
from ansible-pki.
So it's an external certificate? That changes things a bit... In that case it would be best if you put these certificates in their own PKI realm, not domain
. This new realm could have the internal CA disabled so that the debops.pki
CA does not try to sign the certificate over and over. You can do this by adding in the inventory:
pki_realms:
- name: 'domain.com'
internal: False
acme: False
Then you can point services like nginx
at this new PKI realm to use the external certificate.
from ansible-pki.
Ok, sorry for that missing information.
debops created the new realm.
Is it possible to disable the domain realm? so, that there is only the commercial certificate.
from ansible-pki.
Sure, you could set pki_default_realms: []
, and pki_system_realm: 'new.realm.name'. Although I'd keep the
domain` realm for inter-cluster communication if you have more hosts.
from ansible-pki.
Sorry, but another question. If debops created the folder structure ansible/secret/pki/realms/by-group/debops_service_pki/example.com whats the prefered way to include the commercial certificate or where is the right place to copy?
At the moment there are 2 folders: external and private
But on the destination host the default.crt does not point to my certificate.
from ansible-pki.
The PKI realm is designed around a single private key, but if you are using external cert/key pair the key generated by the realm will be invalid (debops.pki
does not update the realm key automatically). Remove the PKI realm to reset it.
Put your private key, in the private/
directory of the generated directory structure. Put your certificate, intermediate and root .pem
files in the external/
directory. When you run debops.pki
again, the role should copy the external CA files and use them automatically.
Read the external CA documentation for more details.
from ansible-pki.
Related Issues (20)
- Role breaks without warning (and continues on "normally") if SAN misconfigured HOT 9
- Fail: No module named debops HOT 12
- [Security] debops.pki does not validate CSRs allowing certificate mis-issuance by compromised remote host
- tiny-acme suddenly causes errors HOT 20
- First PKI run fails to create ACME certificates HOT 4
- Changing config parameters has not effect HOT 2
- Changing pki_acme_ca does not reload the nginx server
- Improve docs visibility of `name_constraints` variable
- Remove the pain points when managing ACME certificates HOT 12
- Replaced external certificates are not copied to host HOT 1
- Failure on task: Sign certificate requests for current hosts HOT 3
- ./lib/pki-authority: line 164: declare: -g: invalid option error HOT 3
- debops.pki fails when 1 of the hosts is unreachable HOT 1
- Errors during creation of new LetsEncrypt account via acme. HOT 6
- KeyError: 'newAccount' when attempting to generate ACME certificate HOT 5
- Role debops.pki/env fails to resolve after Ansible 2.4 HOT 10
- No wildcard/domain in the 'domain' realm certificates HOT 2
- pki role generates invalid certificate with "permitted subtree violation"
- ing
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-pki.