From c9e7af37226e45fc2e655cce2a40ee8e57ed2a09 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Fri, 23 Sep 2022 11:04:27 -0700
Subject: [PATCH] Use only name constraints in GetTLSCertificate

---
 authority/tls.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/authority/tls.go b/authority/tls.go
index 29053ddf..efabc8f2 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -640,8 +640,8 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
 	certTpl.EmailAddresses = cr.EmailAddresses
 	certTpl.URIs = cr.URIs
 
-	// Fail if name constraints or policy does not allow the server names.
-	if err := a.isAllowedToSignX509Certificate(certTpl); err != nil {
+	// Fail if name constraints do not allow the server names.
+	if err := a.constraintsEngine.ValidateCertificate(certTpl); err != nil {
 		return fatal(err)
 	}