pub(super) async fn require_cn(
state: &AppState,
peer_certs: &PeerCertificates,
) -> Result<String, StatusCode>Expand description
401 on missing/revoked cert; re-enrolled certs (notBefore > revoked_before) pass.
LOADBEARING: revocation DB rows store the short hostname (the
operator-declared form from fleet.nix), while the cert’s CN is the
canonical agent-<machineId>.<suffix> form. Look up by the
canonicalized-down short hostname so the two sides match.