Simplify certificate for subdomains excluding the apex domain

Tested with: - name: 'www.ypid.de' acme_default_subdomains: [] acme_domains: [ 'www.ypid.de', 'me.ypid.de' ] Resulted in: Certificate: Data: Version: 3 (0x2) Serial Number: fa:fb:15:22:6b:4c:9c:40:46:d4:13:ad:42:c0:8f:a4:2f:f3 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Fake LE Intermediate X1 Validity Not Before: Sep 12 16:18:00 2016 GMT Not After : Dec 11 16:18:00 2016 GMT Subject: CN=www.ypid.de Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a3:0c:03:c2:24:7c:8d:f0:86:6f:f6:0b:a4:e8: c2:ce:4a:57:3a:97:59:75:00:01:8a:2c:e9:89:af: 65:d0:0c:dc:df:2f:2b:21:57:e6:b0:3e:11:7f:ad: d8:6a:9a:33:2e:ef:62:fb:4b:0f:80:f0:f3:c8:e9: d6:e4:75:6f:18:88:25:3f:e7:ce:23:43:c8:4d:05: 99:66:9a:be:a1:7a:e7:8a:80:ab:94:55:68:de:26: e9:c1:95:44:5b:b7:d9:b8:30:45:2b:ce:57:6c:7b: f3:a2:af:cc:b0:41:e3:0c:c1:cd:6b:c7:a1:6b:2d: 8d:09:c2:b5:fa:c1:7e:f4:b1:d2:2a:f3:8b:f1:7b: 5b:1f:7c:bf:9c:ab:ad:24:04:48:b7:03:22:fa:fc: e5:67:99:50:8f:48:5d:ab:1a:92:f1:27:2f:10:9a: 0b:67:75:6f:e5:9a:bd:f4:56:f3:9a:fc:6f:a7:6f: d8:86:ff:59:bc:ec:1e:8f:5a:e9:05:63:0b:ed:63: 6c:77:fa:09:e1:20:7e:7c:cb:91:8b:8f:3e:cb:b3: 65:dd:5f:2d:68:7c:46:7d:2c:bf:e7:6a:57:23:55: 1a:17:45:bc:8f:1d:dd:d6:d9:6e:e9:ef:d6:96:97: 5c:e5:9b:de:93:23:70:74:e1:47:ae:56:bb:b4:35: 9a:53:81:49:10:61:07:24:d2:53:6c:35:41:09:ef: 00:1a:3c:7b:de:0f:97:86:87:67:7a:a8:d0:a9:d4: 90:88:2f:0b:5c:a8:74:74:04:af:6f:f7:b1:ba:23: 83:00:27:a0:f6:8a:d4:7d:61:3a:75:03:4a:a8:d3: 42:2d:fb:2c:3b:ab:bc:b7:8a:18:42:5b:66:b9:d7: 8b:76:8d:da:62:1b:6b:64:cd:65:1e:53:6c:f8:54: 69:39:5d:ca:e7:23:c4:ef:cc:44:45:23:f3:1c:9c: 5d:73:33:59:a7:47:26:ef:43:47:a7:ed:02:ab:fc: 15:75:9a:64:fa:46:c1:20:3d:99:22:b0:91:67:c9: ce:99:5c:03:46:fd:81:ae:67:11:d0:be:d6:2b:ff: ac:32:51:bb:05:70:c1:6e:d0:6c:58:17:9c:c6:4f: fb:4a:79:c6:c5:ce:7a:55:ec:d3:6b:66:cf:2c:5b: d2:a1:35:a3:55:0a:b9:b6:a5:83:f5:12:21:7f:46: dc:d3:10:d5:5b:db:19:03:46:b2:fb:56:fe:8a:85: 26:d9:3d:33:e7:d5:eb:6b:a4:20:dc:df:e1:fe:d5: e3:92:6b:f5:81:aa:2a:05:3b:4c:32:56:74:67:ac: 8c:2b:66:c1:c5:27:12:10:01:90:3e:63:b0:23:63: 9f:19:a7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: E5:11:34:94:ED:18:1A:7A:22:A8:6B:CC:32:D5:38:0E:F0:F0:06:C3 X509v3 Authority Key Identifier: keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A Authority Information Access: OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/ CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:me.ypid.de, DNS:www.ypid.de X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/ Signature Algorithm: sha256WithRSAEncryption 69:1f:9a:83:ae:10:17:ff:34:eb:d7:01:23:2f:05:39:cb:b0: ad:d1:d7:d2:47:69:31:f7:bc:f9:e2:73:62:c1:a6:df:16:0e: 65:65:9d:76:09:97:0f:d8:f6:73:30:0e:ba:d7:9e:61:96:12: 15:f9:19:d0:e6:2e:ec:aa:07:b1:03:b8:bb:af:5d:ea:69:ef: af:8a:a8:29:94:10:8b:04:5a:f1:de:14:6e:6a:a0:39:5c:d2: 7b:f3:65:06:6b:67:03:c6:1f:18:89:84:28:2a:0e:3e:1d:e2: a0:bc:4f:ce:3e:7c:f8:81:6e:f7:34:a0:cd:01:7e:66:ae:d6: 82:0e:e8:73:11:e6:c0:b0:c7:b0:0c:fa:de:d8:fa:61:89:c7: c7:dd:6f:cc:b2:32:1a:b8:74:93:82:5b:f9:55:25:15:f1:51: bc:32:98:f8:70:3a:c3:c2:e2:ec:3a:6f:a7:e6:8e:15:9a:43: 09:9f:b1:28:c7:d5:13:82:9e:20:86:40:45:4f:6d:cc:c6:7c: 9a:26:1a:e2:8b:40:eb:ed:24:67:b9:0e:a4:b7:4a:5f:3a:d0: 4f:a9:d3:bf:a5:59:67:40:0c:50:39:96:8e:a3:fb:de:a2:74: 72:78:b5:fc:2b:01:b8:1b:af:a5:78:6c:da:66:b6:2d:3c:ce: c8:c1:c8:1b
debops · Sep 12, 2016 · bc982a2 · bc982a2
1 parent cefeeed
commit bc982a2
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 11 deletions.
diff --git a/docs/acme-integration.rst b/docs/acme-integration.rst
@@ -23,7 +23,7 @@ To request and renew ACME certificates, a host needs to meet several
 requirements enforced by this Ansible role:
 
 - A webserver configured to handle ACME challenges needs to be installed on the
-  host (currently this role supports only "webroot" challenges). The
+  host (currently this role supports only ``http-01`` challenges). The
   debops.nginx_ role configures ACME support for all servers by default when
   other conditions are met.
 
@@ -159,22 +159,18 @@ automatically.
 Certificate for subdomains excluding the apex domain
 ----------------------------------------------------
 
-Yes, it's possible :-) Please consult the example and create your own similar
-configuration. In the example we create a certificate for the ``logs.example.com``
-and ``mon.example.com`` subdomains, which does not include the ``example.com``
-apex domain. Please notice that the PKI realm does not contain your full domain
-name. This is crucial.
+Please consult the example and create your own similar configuration. In the
+example we create a certificate for the ``logs.example.com`` and
+``mon.example.com`` subdomains, which does not include the ``example.com`` apex
+domain.
 
 .. code-block:: yaml
 
     pki_realms:
-        # Do not include the full domain name here!
-      - name: 'example'
+      - name: 'logs.example.com'
         acme: True
         acme_default_subdomains: []
-        acme_subject: [ 'cn=logs.example.com' ]
         acme_domains: [ 'logs.example.com', 'mon.example.com' ]
-        domains: [ 'logs.example.com', 'mon.example.com' ]
         # acme_ca: 'le-staging'
 
 For testing it's strongly advised to uncomment ``acme_ca`` with ``le-staging``

diff --git a/docs/getting-started.rst b/docs/getting-started.rst
@@ -83,4 +83,3 @@ special ``debops.pki/env`` role provided within the main role.
 
 .. literalinclude:: playbooks/pki.yml
    :language: yaml
-