[Bug]: using admin commands fails if root ca has name constraints

[georgmu]

Steps to Reproduce

1. create a root CA with name constraints permitted: DNS:example.com
2. run step ca init --root=CA.pem --key=CA.key
3. open ~/.step/config/ca.json, delete provisioners and add "enableAdmin": true to authority
4. start step-ca
   • enter a password for first provisioner
5. on a second terminal, run step ca provisioner add acme --type ACME
   • when asked for admin name/subject, provide step and the password entered while starting step-ca

Your Environment

• OS - ubuntu 20.04
• step-ca Version - Smallstep CA/0.20.0

Expected Behavior

add the provisioner

Actual Behavior

adminHandler.authorizeToken; error verifying x5c certificate chain in token: x509: a root or intermediate certificate is not authorized to sign for this name: DNS name "step" is not permitted by any constraint

Additional Context

A solution for the problem would be to ask for the subject in the CreateAdmin command in the "Create first admin" section (authority/authority.go:584) When I manually change it in the source code to [email protected] (which apparently fulfills the name constraint), the command succeeds.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[dopey]

A temporary workaround here would be to use the default PKI when starting up the CA. Then create a new admin using step ca admin add, and use a name permitted by the desired name constraints. Then replace the PKI with the desired one.