From 0092915cab61aa2a95c771c33c3343800e9193f3 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Thu, 2 Dec 2021 10:19:47 -0500
Subject: [PATCH] Fix rerunning tls initialization

---
 confluent_server/confluent/certutil.py | 48 ++++++++++++--------------
 1 file changed, 23 insertions(+), 25 deletions(-)

diff --git a/confluent_server/confluent/certutil.py b/confluent_server/confluent/certutil.py
index 3582a53a..b2a51038 100644
--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@@ -71,31 +71,29 @@ def get_certificate_paths():
 
 def assure_tls_ca():
     keyout, certout = ('/etc/confluent/tls/cakey.pem', '/etc/confluent/tls/cacert.pem')
-    if os.path.exists(certout):
-        return
-    try:
-        os.makedirs('/etc/confluent/tls')
-    except OSError as e:
-        if e.errno != 17:
-            raise
-    sslcfg = get_openssl_conf_location()
-    tmpconfig = tempfile.mktemp()
-    shutil.copy2(sslcfg, tmpconfig)
-    subprocess.check_call(
-        ['openssl', 'ecparam', '-name', 'secp384r1', '-genkey', '-out',
-         keyout])
-    try:
-        with open(tmpconfig, 'a') as cfgfile:
-            cfgfile.write('\n[CACert]\nbasicConstraints = CA:true\n')
-        subprocess.check_call([
-            'openssl', 'req', '-new', '-x509', '-key', keyout, '-days',
-            '27300', '-out', certout, '-subj',
-            '/CN=Confluent TLS Certificate authority ({0})'.format(socket.gethostname()),
-            '-extensions', 'CACert', '-config', tmpconfig
-        ])
-    finally:
-        os.remove(tmpconfig)
-    # Could restart the webserver now?
+    if not os.path.exists(certout):
+        try:
+            os.makedirs('/etc/confluent/tls')
+        except OSError as e:
+            if e.errno != 17:
+                raise
+        sslcfg = get_openssl_conf_location()
+        tmpconfig = tempfile.mktemp()
+        shutil.copy2(sslcfg, tmpconfig)
+        subprocess.check_call(
+            ['openssl', 'ecparam', '-name', 'secp384r1', '-genkey', '-out',
+            keyout])
+        try:
+            with open(tmpconfig, 'a') as cfgfile:
+                cfgfile.write('\n[CACert]\nbasicConstraints = CA:true\n')
+            subprocess.check_call([
+                'openssl', 'req', '-new', '-x509', '-key', keyout, '-days',
+                '27300', '-out', certout, '-subj',
+                '/CN=Confluent TLS Certificate authority ({0})'.format(socket.gethostname()),
+                '-extensions', 'CACert', '-config', tmpconfig
+            ])
+        finally:
+            os.remove(tmpconfig)
     fname = '/var/lib/confluent/public/site/tls/{0}.pem'.format(
         collective.get_myname())
     try: