ansible-pki icon indicating copy to clipboard operation
ansible-pki copied to clipboard

Published 20 hours ago verified publisher icon debops

Error every second pki run

Open erikschwalbe opened this issue 6 years ago • 9 comments

I think since yesterday after a debops-update the pki role failed with every second run: TASK [debops.pki : Sign certificate requests for current hosts] ************************************************************************************************************************************** fatal: [teamcity -> localhost]: FAILED! => {"changed": false, "cmd": ["./lib/pki-authority", "sign-by-host", "teamcity.domain.com"], "delta": "0:00:00.305034", "end": "2018-03-26 09:41:34.501734", "msg": "non-zero return code", "rc": 2, "start": "2018-03-26 09:41:34.196700", "stderr": "pki-authority: Error: failed to run verify -CAfile issuer/subject/cert.pem -untrusted subject/cert.pem /home/ansible/debops/ansible/secret/pki/realms/by-host/teamcity.domain.com/domain/internal/cert.pem (Exitcode: 2)\n\nDetails:\n/home/ansible/debops/ansible/secret/pki/realms/by-host/teamcity.domain.com/domain/internal/cert.pem: CN = teamcity.domain.com\nerror 47 at 0 depth lookup:permitted subtree violation", "stderr_lines": ["pki-authority: Error: failed to run verify -CAfile issuer/subject/cert.pem -untrusted subject/cert.pem /home/ansible/debops/ansible/secret/pki/realms/by-host/teamcity.domain.com/domain/internal/cert.pem (Exitcode: 2)", "", "Details:", "/home/ansible/debops/ansible/secret/pki/realms/by-host/teamcity.domain.com/domain/internal/cert.pem: CN = teamcity.domain.com", "error 47 at 0 depth lookup:permitted subtree violation"], "stdout": "", "stdout_lines": []}

erikschwalbe avatar Mar 26 '18 07:03 erikschwalbe

The "permitted subtree violation" error is related to use of nameConstraints extension. Basically, you tried to sign a certificate with a domain for which your CA is not allowed to sign certificates. Especially that the domain you tried to sign is .com...

I bet that you tried to create a host with FQDN similar to example.com. DebOps uses ansible_fqdn and ansible_domain variables in many roles, and with the FQDN like the above, the ansible_domain value would end up as .com, which cannot realistically work for a X.509 certificate. You should either change the hostname to something like host.example.com, in which case Ansible will detect the domain correctly, or enforce the values by setting pki_fqdn and pki_domain variables in the Ansible inventory.

drybjed avatar Mar 26 '18 07:03 drybjed

sorry, there was a copy-paste failure. I want to use a normal wildcard ssl certificate from comodo.

erikschwalbe avatar Mar 26 '18 08:03 erikschwalbe

I see. Still, check what domains are recognized by your internal CA and what domains you tried to sign with it:

openssl x509 -in path/to/cert.pem -text -noout

drybjed avatar Mar 26 '18 08:03 drybjed

openssl x509 -in ansible/secret/pki/realms/by-group/debops_service_pki/domain/external/all.domain.com.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 18:cc:82:0a:b9:7a:52:60:45:60:e0:b5:88:93:05:f9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Validity Not Before: Mar 20 00:00:00 2018 GMT Not After : May 19 23:59:59 2019 GMT Subject: OU=Domain Control Validated, OU=EssentialSSL Wildcard, CN=*.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)

Its a commercial wildcard certificate.

erikschwalbe avatar Mar 26 '18 08:03 erikschwalbe

So it's an external certificate? That changes things a bit... In that case it would be best if you put these certificates in their own PKI realm, not domain. This new realm could have the internal CA disabled so that the debops.pki CA does not try to sign the certificate over and over. You can do this by adding in the inventory:

pki_realms:
  - name: 'domain.com'
    internal: False
    acme: False

Then you can point services like nginx at this new PKI realm to use the external certificate.

drybjed avatar Mar 26 '18 08:03 drybjed

Ok, sorry for that missing information. debops created the new realm. Is it possible to disable the domain realm? so, that there is only the commercial certificate.

erikschwalbe avatar Mar 26 '18 14:03 erikschwalbe

Sure, you could set pki_default_realms: [], and pki_system_realm: 'new.realm.name'. Although I'd keep the domain` realm for inter-cluster communication if you have more hosts.

drybjed avatar Mar 26 '18 14:03 drybjed

Sorry, but another question. If debops created the folder structure ansible/secret/pki/realms/by-group/debops_service_pki/example.com whats the prefered way to include the commercial certificate or where is the right place to copy? At the moment there are 2 folders: external and private But on the destination host the default.crt does not point to my certificate.

erikschwalbe avatar Mar 26 '18 15:03 erikschwalbe

The PKI realm is designed around a single private key, but if you are using external cert/key pair the key generated by the realm will be invalid (debops.pki does not update the realm key automatically). Remove the PKI realm to reset it.

Put your private key, in the private/ directory of the generated directory structure. Put your certificate, intermediate and root .pem files in the external/ directory. When you run debops.pki again, the role should copy the external CA files and use them automatically.

Read the external CA documentation for more details.

drybjed avatar Mar 26 '18 16:03 drybjed