fix: correct x509 certificate version to ensure x509v3 compliance

- Changed csr_cert.version from 3 to 2 in SSL helper sign_csr method
- OpenSSL uses zero-indexed versions where 2 = x509v3
- Added integration test to verify certificates use correct version
- Prevents future regressions of x509 version configuration

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: jgnagy

lib/bullion/helpers/ssl.rb

@@ -200,7 +200,7 @@ def sign_csr(csr, username)
         # Create a OpenSSL cert using select info from the CSR
         csr_cert = OpenSSL::X509::Certificate.new
         csr_cert.serial = cert.serial
-        csr_cert.version = 3
+        csr_cert.version = 2 # OpenSSL uses zero-indexed versions: 2 = x509v3
         csr_cert.not_before = Time.now
         # only 90 days for ACMEv2
         csr_cert.not_after = csr_cert.not_before + (3 * 30 * 24 * 60 * 60)

spec/integration/bullion/services/ca_spec.rb

@@ -129,6 +129,7 @@ def app
       expect(cert).to start_with("-----BEGIN CERTIFICATE-----\n")
       decoded_cert = OpenSSL::X509::Certificate.new(cert)
       expect(decoded_cert.subject.to_s).to end_with("/CN=#{domain}")
+      expect(decoded_cert.version).to eq(2) # Ensure x509v3 (version 2 in zero-indexed OpenSSL)
       extensions = decoded_cert.extensions.to_h { [it.oid, it.value] }
       expect(extensions["basicConstraints"]).to eq("CA:FALSE")
       expect(extensions["extendedKeyUsage"]).to eq("TLS Web Server Authentication")