Error with max_path_length

henriquecpitta · December 29, 2022, 12:09pm

I am following the “Build Certificate Authority (CA) in Vault with an offline Root” article, but when i reach the Step 4: “Generate ICA2 in vault” i create a Terraform file named, “test_org_ica2.tf” and when i do terraform apply, receive an error saying “signing certificate has a max path length of zero, and cannot issue further CA certificates”.

The article: Build Certificate Authority (CA) in Vault with an offline Root | Vault | HashiCorp Developer

I followed this article step by step with a clean vault installation and cannot find any information about that error.

Is there any command to change de value of the max path length?

Bellow i left a screenshot of the error.

Thank you!

maxb · December 29, 2022, 1:16pm

A quick look suggests that a change in the upstream certstrap tool has rendered the tutorial as written broken - https://github.com/square/certstrap/pull/135.

You should disregard this tutorial and follow the one that does not use certstrap, that is linked in the first paragraph of the page:

This learn tutorial builds on the Build Your Own Certificate Authority (CA) tutorial and demonstrates how to create the CA chain hierarchy with an offline root and online intermediate CAs in Vault.

henriquecpitta · December 29, 2022, 3:36pm

I found the issue.
Just add the flag " --path-length 2 " creating certificate with certstrap and will work