From 540d0e17954a8187d0bbe40cc6a7628b9044cc1e Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Mon, 18 May 2020 19:37:54 -0400
Subject: [PATCH] Fix SUSE certificate handling

SUSE requires things go through update-ca-certificates,
update the generated certs and the post to do that.
---
 confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh | 1 +
 confluent_server/bin/confluentcertutil.py              | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
index 50cdce47..0b5cef20 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
@@ -44,4 +44,5 @@ cp /tmp/confluent.* /mnt/etc/confluent/
 cp -a /tls /mnt/etc/confluent/
 cp -a /tls/* /mnt/var/lib/ca-certificates/openssl
 cp -a /tls/* /mnt/etc/ssl/certs
+cp -a /tls/*.cert /etc/pki/trust/anchors
 
diff --git a/confluent_server/bin/confluentcertutil.py b/confluent_server/bin/confluentcertutil.py
index 24b46827..d0cbaacd 100644
--- a/confluent_server/bin/confluentcertutil.py
+++ b/confluent_server/bin/confluentcertutil.py
@@ -53,7 +53,7 @@ def create_certificate(outdir):
     shutil.copy2(sslcfg, tmpconfig)
     try:
         with open(tmpconfig, 'a') as cfgfile:
-            cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san))
+            cfgfile.write('\n[SAN]i\nbasicConstraints = CA:true\nsubjectAltName={0}'.format(san))
         subprocess.check_call([
             'openssl', 'req', '-new', '-x509', '-key', keyout, '-days',
             '7300', '-out', certout, '-subj', '/CN={0}'.format(longname),