Improve error handling on bad TLS cert

Bad TLS cert is a common problem, provide better feedback.
2024-11-22 01:22:00 +00:00 · 2022-02-24 09:27:40 -05:00 · 2022-02-24 09:27:40 -05:00 · fb1f6b70bb
commit fb1f6b70bb
parent 2c9be7a4c4
4 changed files with 20 additions and 4 deletions
--- a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
+++ b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
@ -328,7 +328,11 @@ class HTTPSClient(client.HTTPConnection, object):
            self.stdheaders['Host'] = '{0}'.format(host)
        ctx.verify_mode = ssl.CERT_REQUIRED
        ctx.check_hostname = True
-        self.sock = ctx.wrap_socket(psock, server_hostname=host)
+        try:
+            self.sock = ctx.wrap_socket(psock, server_hostname=host)
+        except ssl.SSLError:
+            sys.stderr.write('Error validating certificate on deployer (try `osdeploy initialize -t` on the deployment server {0})\n'.format(host))
+            sys.exit(1)

    def grab_url(self, url, data=None, returnrsp=False):
        return self.grab_url_with_status(url, data, returnrsp)[1]
--- a/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
+++ b/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
@ -129,6 +129,12 @@ while [ $ready = "0" ]; do
        fi
        confluent_mgr=${confluent_mgr#[}
        confluent_mgr=${confluent_mgr%]}
+    elif grep 'SSL' $tmperr > /dev/null; then
+        confluent_mgr=${confluent_mgr#[}
+        confluent_mgr=${confluent_mgr%]}
+	sleep 1
+	/opt/confluent/bin/autocons -c
+	echo 'Failure establishing TLS conneection to '$confluent_mgr' (try `osdeploy initialize -t` on the deployment server)'
    else
        ready=1
    fi
--- a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-trigger/01-confluent.sh
+++ b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-trigger/01-confluent.sh
@ -57,7 +57,10 @@ nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
 #TODO: blkid --label <whatever> to find mounted api

 cat /tls/*.pem > /etc/confluent/ca.pem
-confluentpython /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
+while ! confluentpython /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg; do
+	/opt/confluent/bin/autocons -c
+	sleep 1
+done
 ifidx=$(cat /tmp/confluent.ifidx)
 ifname=$(ip link |grep ^$ifidx:|awk '{print $2}')
 ifname=${ifname%:}
@ -92,6 +95,7 @@ if [ "$textconsole" = "true" ] && ! grep console= /proc/cmdline > /dev/null; the
 	autocons=$(cat /tmp/01-autocons.devnode)
 	if [ ! -z "$autocons" ]; then
 	    echo Auto-configuring installed system to use text console
+            /opt/confluent/bin/autocons -c
 	    echo Auto-configuring installed system to use text console > $autocons
 	    cp /tmp/01-autocons.conf /etc/cmdline.d/
 	else
--- a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
+++ b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
@ -76,8 +76,10 @@ for hdl in $(tpm2_getcap handles-persistent|awk '{print $2}'); do
 done
 cd - > /dev/null
 rm -rf $tpmdir
-/usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
-if [ ! -z "$autocons" ] && grep textconsole: true /etc/confluent/confluent.deploycfg > /dev/null; then /opt/confluent/bin/autocons -c > /dev/null; fi
+while ! /usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg; do
+	sleep 1
+done
+if [ ! -z "$autocons" ] && grep "textconsole: true" /etc/confluent/confluent.deploycfg > /dev/null; then /opt/confluent/bin/autocons -c > /dev/null; fi
 umask $oldumask
 new_apikey=$(cat /etc/confluent/confluent.apikey)
 if [ "$new_apikey" != "$confluent_apikey" ]; then