From 1f66120c20694fff1e8d1be8442faaeda50b5adf Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Thu, 25 Nov 2021 12:19:10 -0500 Subject: [PATCH] ca: remove redundant append of an intermediate cert Immediately above this line we are already appending the full list of intermediates. The `provider.ActiveIntermediate` MUST be in this list of intermediates because it must be available to all the other non-leader Servers. If it was not in this list of intermediates then any proxy that received data from a non-leader would have the wrong certs. This is being removed now because we are planning on changing the `Provider.ActiveIntermediate` interface, and removing these extra calls ahead of time helps make that change easier. --- agent/consul/leader_connect_ca.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go index 82956bed2..3087fb84a 100644 --- a/agent/consul/leader_connect_ca.go +++ b/agent/consul/leader_connect_ca.go @@ -1498,11 +1498,6 @@ func (c *CAManager) SignCertificate(csr *x509.CertificateRequest, spiffeID conne pem = pem + ca.EnsureTrailingNewline(p) } - // Append our local CA's intermediate if there is one. - if inter != root { - pem = pem + ca.EnsureTrailingNewline(inter) - } - modIdx, err := c.delegate.ApplyCALeafRequest() if err != nil { return nil, err