From f56db9f93dbd9d58c752536233f3f5620ee9976e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Wed, 7 Apr 2021 09:55:31 +0200 Subject: [PATCH] Revert "Handle CA issuer working as intermediate" (#3847) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As discussed in #3847, I went too fast and /lgtm from my bed. That led to having a piece of code that could potentially break people's cert-manager deployments. Our plan is to have the same PR re-opened so that we can have it released for v1.4 (due on Friday 11 June 2021 as per our timeline). Signed-off-by: Maƫl Valais --- .gitignore | 1 - pkg/util/pki/csr.go | 7 +++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 956c2477d..91fa83ba2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,5 @@ .DS_Store .idea -*.iml /acmesolver /controller /ingress-shim diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index 6751c046b..1eef77448 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -424,9 +424,9 @@ func SignCSRTemplate(caCerts []*x509.Certificate, caKey crypto.Signer, template return nil, nil, errors.New("no CA certificates given to sign CSR template") } - issuingCACert := caCerts[0] + caCert := caCerts[0] - certPem, _, err := SignCertificate(template, issuingCACert, template.PublicKey, caKey) + certPem, _, err := SignCertificate(template, caCert, template.PublicKey, caKey) if err != nil { return nil, nil, err @@ -440,8 +440,7 @@ func SignCSRTemplate(caCerts []*x509.Certificate, caKey crypto.Signer, template certPem = append(certPem, chainPem...) // encode the CA certificate to be bundled in the output - caCert := caCerts[len(caCerts)-1] - caPem, err := EncodeX509(caCert) + caPem, err := EncodeX509(caCerts[0]) if err != nil { return nil, nil, err }