From bc982a28a7a7c70d865bdcde197a9d70dc5d6258 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Mon, 12 Sep 2016 19:20:57 +0200
Subject: [PATCH] Simplify certificate for subdomains excluding the apex domain

Tested with:

   - name: 'www.ypid.de'
     acme_default_subdomains: []
     acme_domains: [ 'www.ypid.de', 'me.ypid.de' ]

Resulted in:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                fa:fb:15:22:6b:4c:9c:40:46:d4:13:ad:42:c0:8f:a4:2f:f3
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=Fake LE Intermediate X1
            Validity
                Not Before: Sep 12 16:18:00 2016 GMT
                Not After : Dec 11 16:18:00 2016 GMT
            Subject: CN=www.ypid.de
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (4096 bit)
                    Modulus:
                        00:a3:0c:03:c2:24:7c:8d:f0:86:6f:f6:0b:a4:e8:
                        c2:ce:4a:57:3a:97:59:75:00:01:8a:2c:e9:89:af:
                        65:d0:0c:dc:df:2f:2b:21:57:e6:b0:3e:11:7f:ad:
                        d8:6a:9a:33:2e:ef:62:fb:4b:0f:80:f0:f3:c8:e9:
                        d6:e4:75:6f:18:88:25:3f:e7:ce:23:43:c8:4d:05:
                        99:66:9a:be:a1:7a:e7:8a:80:ab:94:55:68:de:26:
                        e9:c1:95:44:5b:b7:d9:b8:30:45:2b:ce:57:6c:7b:
                        f3:a2:af:cc:b0:41:e3:0c:c1:cd:6b:c7:a1:6b:2d:
                        8d:09:c2:b5:fa:c1:7e:f4:b1:d2:2a:f3:8b:f1:7b:
                        5b:1f:7c:bf:9c:ab:ad:24:04:48:b7:03:22:fa:fc:
                        e5:67:99:50:8f:48:5d:ab:1a:92:f1:27:2f:10:9a:
                        0b:67:75:6f:e5:9a:bd:f4:56:f3:9a:fc:6f:a7:6f:
                        d8:86:ff:59:bc:ec:1e:8f:5a:e9:05:63:0b:ed:63:
                        6c:77:fa:09:e1:20:7e:7c:cb:91:8b:8f:3e:cb:b3:
                        65:dd:5f:2d:68:7c:46:7d:2c:bf:e7:6a:57:23:55:
                        1a:17:45:bc:8f:1d:dd:d6:d9:6e:e9:ef:d6:96:97:
                        5c:e5:9b:de:93:23:70:74:e1:47:ae:56:bb:b4:35:
                        9a:53:81:49:10:61:07:24:d2:53:6c:35:41:09:ef:
                        00:1a:3c:7b:de:0f:97:86:87:67:7a:a8:d0:a9:d4:
                        90:88:2f:0b:5c:a8:74:74:04:af:6f:f7:b1:ba:23:
                        83:00:27:a0:f6:8a:d4:7d:61:3a:75:03:4a:a8:d3:
                        42:2d:fb:2c:3b:ab:bc:b7:8a:18:42:5b:66:b9:d7:
                        8b:76:8d:da:62:1b:6b:64:cd:65:1e:53:6c:f8:54:
                        69:39:5d:ca:e7:23:c4:ef:cc:44:45:23:f3:1c:9c:
                        5d:73:33:59:a7:47:26:ef:43:47:a7:ed:02:ab:fc:
                        15:75:9a:64:fa:46:c1:20:3d:99:22:b0:91:67:c9:
                        ce:99:5c:03:46:fd:81:ae:67:11:d0:be:d6:2b:ff:
                        ac:32:51:bb:05:70:c1:6e:d0:6c:58:17:9c:c6:4f:
                        fb:4a:79:c6:c5:ce:7a:55:ec:d3:6b:66:cf:2c:5b:
                        d2:a1:35:a3:55:0a:b9:b6:a5:83:f5:12:21:7f:46:
                        dc:d3:10:d5:5b:db:19:03:46:b2:fb:56:fe:8a:85:
                        26:d9:3d:33:e7:d5:eb:6b:a4:20:dc:df:e1:fe:d5:
                        e3:92:6b:f5:81:aa:2a:05:3b:4c:32:56:74:67:ac:
                        8c:2b:66:c1:c5:27:12:10:01:90:3e:63:b0:23:63:
                        9f:19:a7
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    E5:11:34:94:ED:18:1A:7A:22:A8:6B:CC:32:D5:38:0E:F0:F0:06:C3
                X509v3 Authority Key Identifier:
                    keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A

                Authority Information Access:
                    OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/
                    CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/

                X509v3 Subject Alternative Name:
                    DNS:me.ypid.de, DNS:www.ypid.de
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
                      User Notice:
                        Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

        Signature Algorithm: sha256WithRSAEncryption
             69:1f:9a:83:ae:10:17:ff:34:eb:d7:01:23:2f:05:39:cb:b0:
             ad:d1:d7:d2:47:69:31:f7:bc:f9:e2:73:62:c1:a6:df:16:0e:
             65:65:9d:76:09:97:0f:d8:f6:73:30:0e:ba:d7:9e:61:96:12:
             15:f9:19:d0:e6:2e:ec:aa:07:b1:03:b8:bb:af:5d:ea:69:ef:
             af:8a:a8:29:94:10:8b:04:5a:f1:de:14:6e:6a:a0:39:5c:d2:
             7b:f3:65:06:6b:67:03:c6:1f:18:89:84:28:2a:0e:3e:1d:e2:
             a0:bc:4f:ce:3e:7c:f8:81:6e:f7:34:a0:cd:01:7e:66:ae:d6:
             82:0e:e8:73:11:e6:c0:b0:c7:b0:0c:fa:de:d8:fa:61:89:c7:
             c7:dd:6f:cc:b2:32:1a:b8:74:93:82:5b:f9:55:25:15:f1:51:
             bc:32:98:f8:70:3a:c3:c2:e2:ec:3a:6f:a7:e6:8e:15:9a:43:
             09:9f:b1:28:c7:d5:13:82:9e:20:86:40:45:4f:6d:cc:c6:7c:
             9a:26:1a:e2:8b:40:eb:ed:24:67:b9:0e:a4:b7:4a:5f:3a:d0:
             4f:a9:d3:bf:a5:59:67:40:0c:50:39:96:8e:a3:fb:de:a2:74:
             72:78:b5:fc:2b:01:b8:1b:af:a5:78:6c:da:66:b6:2d:3c:ce:
             c8:c1:c8:1b
---
 docs/acme-integration.rst | 16 ++++++----------
 docs/getting-started.rst  |  1 -
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/docs/acme-integration.rst b/docs/acme-integration.rst
index d8e6f4d..9a56119 100644
--- a/docs/acme-integration.rst
+++ b/docs/acme-integration.rst
@@ -23,7 +23,7 @@ To request and renew ACME certificates, a host needs to meet several
 requirements enforced by this Ansible role:
 
 - A webserver configured to handle ACME challenges needs to be installed on the
-  host (currently this role supports only "webroot" challenges). The
+  host (currently this role supports only ``http-01`` challenges). The
   debops.nginx_ role configures ACME support for all servers by default when
   other conditions are met.
 
@@ -159,22 +159,18 @@ automatically.
 Certificate for subdomains excluding the apex domain
 ----------------------------------------------------
 
-Yes, it's possible :-) Please consult the example and create your own similar
-configuration. In the example we create a certificate for the ``logs.example.com``
-and ``mon.example.com`` subdomains, which does not include the ``example.com``
-apex domain. Please notice that the PKI realm does not contain your full domain
-name. This is crucial.
+Please consult the example and create your own similar configuration. In the
+example we create a certificate for the ``logs.example.com`` and
+``mon.example.com`` subdomains, which does not include the ``example.com`` apex
+domain.
 
 .. code-block:: yaml
 
     pki_realms:
-        # Do not include the full domain name here!
-      - name: 'example'
+      - name: 'logs.example.com'
         acme: True
         acme_default_subdomains: []
-        acme_subject: [ 'cn=logs.example.com' ]
         acme_domains: [ 'logs.example.com', 'mon.example.com' ]
-        domains: [ 'logs.example.com', 'mon.example.com' ]
         # acme_ca: 'le-staging'
 
 For testing it's strongly advised to uncomment ``acme_ca`` with ``le-staging``
diff --git a/docs/getting-started.rst b/docs/getting-started.rst
index 124bb8d..c512a5a 100644
--- a/docs/getting-started.rst
+++ b/docs/getting-started.rst
@@ -83,4 +83,3 @@ special ``debops.pki/env`` role provided within the main role.
 
 .. literalinclude:: playbooks/pki.yml
    :language: yaml
-