Ansible X509 certificate missing Subject Alternative Name

Question

I'am using Vagrant and Ansible roles to generate an SSL/TLS certificate but no matter what I try, the generated certificates is missing the Subject Alternative Name:

- name: Create an SSL security key & CSR (Certificate Signing Request)    
  shell: openssl req -new -newkey rsa:2048 -nodes -keyout /etc/apache2/ssl/{{ item.host }}.key -subj "/subjectAltName=DNS.1={{ item.host }}, DNS.2=www.{{ item.host }}, IP.1=192.168.33.11/C={{params['ssl'].country_name}}/ST={{params['ssl'].state}}/L={{params['ssl'].locality}}/O={{params['ssl'].organization}}/CN={{ item.host }}" -out /etc/apache2/ssl/{{ item.host }}.csr
  args:
    executable: "/bin/bash"
  with_items: "{{params['vhosts']}}"
  when: item.ssl is defined and item.ssl

The certificate files gets generated but they Google Chrome always says

Subject Alternative Name Missing

This is the debug of my environment:

$ openssl version
OpenSSL 1.0.2l  25 May 2017

$ openssl x509 -noout -text -in /etc/apache2/ssl/myhost.dev.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            a2:77:35:c7:6a:72:35:22
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: subjectAltName=DNS.1=myhost.dev, DNS.2=www.myhost.dev, IP.1=192.168.33.11, C=DE, ST=Berlin, L=Berlin, O=Ltd, CN=myhost.dev
        Validity
            Not Before: Jun 12 15:36:58 2017 GMT
            Not After : Jun 10 15:36:58 2027 GMT
        Subject: subjectAltName=DNS.1=myhost.dev, DNS.2=www.myhost.dev, IP.1=192.168.33.11, C=DE, ST=Berlin, L=Berlin, O=Ltd, CN=myhost.dev

Answer 1

After some research on the openssl library and understanding how it works, I was doing the mistake of using -X509*: adding -X509 will create a certificate and not a request!

I solved my issue by following this main steps:

1. Set up a certificate authority: entity that issues digital certificates.
2. Create server or user certificate request.
3. Sign the server certificate request.
4. Add this keys and certificates to your host.
5. Add the certificates to the browser.

I wrote a step by step long tutorial on how to achieve this on my blog post.

Answer 2

Your key isn't using X509 extensions. In order to add them to your CSR, you'll need a config file that specifies what extensions to add. The command line interface isn't friendly enough to let you easily specify X509 extensions on the command line.

What you could do is use Bash's process substitution with a command that generates a modified config file on the fly when you invoke openssl to generate your CSR:

openssl req \
    -new -newkey rsa:2048 \
    -subj "{your existing subject}" \
    ... \
    -x509 \
    -reqexts SAN \
    -config <(
        cat /etc/ssl/openssl.cnf
        printf '\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com'
    )

Again, process substitution only works in GNU bash, and will not work if your CI runner's default shell is Bourne Shell, as it sometimes is on Ubuntu-based distros.

This answer was adapted from here.