From 40eb8762e28b6eabd4244e66b4154066085ff356 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Fri, 30 Jul 2021 13:59:22 -0700
Subject: [PATCH] Improved ACM root cert hash mismatch error, #2948

---
 amtmanager.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/amtmanager.js b/amtmanager.js
index b53089f7..1a885190 100644
--- a/amtmanager.js
+++ b/amtmanager.js
@@ -2022,9 +2022,12 @@ module.exports.CreateAmtManager = function (parent) {
         if (trustedFqdn == null) return { err: "No trusted DNS suffix reported" };
 
         // Find a matching certificate
+        var gotSuffixMatch = false;
         for (var i in activationCerts) {
             var cert = activationCerts[i];
-            if ((cert.cn == '*') || checkAcmActivationCertName(cert.cn, trustedFqdn)) {
+            var certDnsMatch = checkAcmActivationCertName(cert.cn, trustedFqdn);
+            if (certDnsMatch == true) { gotSuffixMatch = true; } 
+            if ((cert.cn == '*') || certDnsMatch) {
                 for (var j in deviceHashes) {
                     var hashInfo = deviceHashes[j];
                     if ((hashInfo != null) && (hashInfo.isActive == 1)) {
@@ -2034,6 +2037,7 @@ module.exports.CreateAmtManager = function (parent) {
                 }
             }
         }
+        if (gotSuffixMatch) { return { err: "Certificate root hash matching failed for \"" + trustedFqdn + "\"." }; } // Found a DNS suffix match, but root hash failed to match.
         return { err: "No matching ACM activation certificate for \"" + trustedFqdn + "\"." }; // Did not find a match
     }