Add missing modifier and change return codes.

authority/tls.go

@@ -93,7 +93,7 @@ func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption {
 func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Options, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error) {
 	var (
 		errContext     = context{"csr": csr, "signOptions": signOpts}
-		mods           = []x509util.WithOption{}
+		mods           = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
 		certValidators = []provisioner.CertificateValidator{}
 	)
 	for _, op := range extraOpts {
@@ -102,7 +102,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 			certValidators = append(certValidators, k)
 		case provisioner.CertificateRequestValidator:
 			if err := k.Valid(csr); err != nil {
-				return nil, nil, err
+				return nil, nil, &apiError{err, http.StatusUnauthorized, errContext}
 			}
 		case provisioner.ProfileModifier:
 			mods = append(mods, k.Option(signOpts))
@@ -140,7 +140,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 	// FIXME: This should be before creating the certificate.
 	for _, v := range certValidators {
 		if err := v.Valid(serverCert); err != nil {
-			return nil, nil, err
+			return nil, nil, &apiError{err, http.StatusUnauthorized, errContext}
 		}
 	}