OpenSSL Config error when generating self-signed certificate string too long

Question

With the following OpenSSL Config

[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = drone-ci-web.company.com.key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only
prompt              = no
encrypt_key         = no

[ subject ]
countryName                    = Country Name (2 letter code)
countryName_default            = US
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = Missouri
localityName                   = Locality Name (eg, city)
localityName_default           = Jefferson City
organizationName               = Organization Name (eg, company)
organizationName_default       = My Company
organizationalUnitName         = Organizational Unit (eg, team)
organizationalUnitName_default = My Company Technologies
commonName                     = Common Name (e.g. server FQDN or YOUR name)
commonName_default             = drone-ci-web.company.com
emailAddress                   = Email Address
emailAddress_default           = [email protected]

[ x509_ext ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alternate_names
nsComment              = "Drone-CI - OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "Drone-CI - OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1 = drone-ci-web.company.com

I run the following command:

sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.company.com.cert.pem

and I get the following error:

vagrant@jonspc ~]$ sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.ccompany.com.cert.pem
Generating a 2048 bit RSA private key
..............................................................................................................+++
....................+++
writing new private key to 'drone-ci-web.company.com.key.pem'
-----
problems making Certificate Request
140184216713104:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=2

From what I think its telling me, one of the fields its trying to use is "Too long" and is only two characters, but from what I keep reading, the countryName_default should override the countryName and make this accept the value given for default.

OpenSSL and Operating System information:

[vagrant@jonspc ~]$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[vagrant@jonspc ~]$ cat /etc/oracle-release
Oracle Linux Server release 7.5
[vagrant@jonspc ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)

HOWEVER, if I remove the _default lines and try again, this succeeds with the following config.

[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = drone-ci-web.company.com.key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only
prompt              = no
encrypt_key         = no

[ subject ]
countryName            = US
stateOrProvinceName    = Missouri
localityName           = Jefferson City
organizationName       = My Company
organizationalUnitName = My Company Technologies
commonName             = drone-ci-web.company.com
emailAddress           = [email protected]

[ x509_ext ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alternate_names
nsComment              = "Drone-CI - OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "Drone-CI - OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1 = drone-ci-web.company.com

This works with the following output.

[vagrant@jonspc ~]$ sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.company.com.cert.pem
Generating a 2048 bit RSA private key
..............+++
..............+++
writing new private key to 'drone-ci-web.company.com.key.pem'
-----

Answer 1

From the documentation:

DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT There are two separate formats for the distinguished name and attribute sections. If the prompt option is set to no then these sections just consist of field names and values: for example,

 CN=My Name
 OU=My Organization
 [email protected]

This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to req. An example of this kind of configuration file is contained in the EXAMPLES section. Alternatively if the prompt option is absent or not set to no then the file contains field prompting information. It consists of lines of the form:

 fieldName="prompt"
 fieldName_default="default field value"
 fieldName_min= 2
 fieldName_max= 4

So basically what you figured out yourself.