From fb1f6b70bb61ed31f08fa0ddd8dd4626db1e79c4 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Thu, 24 Feb 2022 09:27:40 -0500
Subject: [PATCH] Improve error handling on bad TLS cert

Bad TLS cert is a common problem, provide better feedback.
---
 .../common/initramfs/opt/confluent/bin/apiclient            | 6 +++++-
 .../usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh    | 6 ++++++
 .../usr/lib/dracut/hooks/pre-trigger/01-confluent.sh        | 6 +++++-
 .../genesis/initramfs/opt/confluent/bin/rungenesis          | 6 ++++--
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
index 7fb58679..6e96382a 100644
--- a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
+++ b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient
@@ -328,7 +328,11 @@ class HTTPSClient(client.HTTPConnection, object):
             self.stdheaders['Host'] = '{0}'.format(host)
         ctx.verify_mode = ssl.CERT_REQUIRED
         ctx.check_hostname = True
-        self.sock = ctx.wrap_socket(psock, server_hostname=host)
+        try:
+            self.sock = ctx.wrap_socket(psock, server_hostname=host)
+        except ssl.SSLError:
+            sys.stderr.write('Error validating certificate on deployer (try `osdeploy initialize -t` on the deployment server {0})\n'.format(host))
+            sys.exit(1)
 
     def grab_url(self, url, data=None, returnrsp=False):
         return self.grab_url_with_status(url, data, returnrsp)[1]
diff --git a/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh b/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
index 2903fdb5..c4dceb1c 100644
--- a/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
+++ b/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
@@ -129,6 +129,12 @@ while [ $ready = "0" ]; do
         fi
         confluent_mgr=${confluent_mgr#[}
         confluent_mgr=${confluent_mgr%]}
+    elif grep 'SSL' $tmperr > /dev/null; then
+        confluent_mgr=${confluent_mgr#[}
+        confluent_mgr=${confluent_mgr%]}
+	sleep 1
+	/opt/confluent/bin/autocons -c
+	echo 'Failure establishing TLS conneection to '$confluent_mgr' (try `osdeploy initialize -t` on the deployment server)'
     else
         ready=1
     fi
diff --git a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-trigger/01-confluent.sh b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-trigger/01-confluent.sh
index c8595bce..cfa3bfb6 100644
--- a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-trigger/01-confluent.sh
+++ b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-trigger/01-confluent.sh
@@ -57,7 +57,10 @@ nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
 #TODO: blkid --label <whatever> to find mounted api
 
 cat /tls/*.pem > /etc/confluent/ca.pem
-confluentpython /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
+while ! confluentpython /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg; do
+	/opt/confluent/bin/autocons -c
+	sleep 1
+done
 ifidx=$(cat /tmp/confluent.ifidx)
 ifname=$(ip link |grep ^$ifidx:|awk '{print $2}')
 ifname=${ifname%:}
@@ -92,6 +95,7 @@ if [ "$textconsole" = "true" ] && ! grep console= /proc/cmdline > /dev/null; the
 	autocons=$(cat /tmp/01-autocons.devnode)
 	if [ ! -z "$autocons" ]; then
 	    echo Auto-configuring installed system to use text console
+            /opt/confluent/bin/autocons -c
 	    echo Auto-configuring installed system to use text console > $autocons
 	    cp /tmp/01-autocons.conf /etc/cmdline.d/
 	else
diff --git a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
index ee6573dc..ed037976 100644
--- a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
+++ b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis
@@ -76,8 +76,10 @@ for hdl in $(tpm2_getcap handles-persistent|awk '{print $2}'); do
 done
 cd - > /dev/null
 rm -rf $tpmdir
-/usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
-if [ ! -z "$autocons" ] && grep textconsole: true /etc/confluent/confluent.deploycfg > /dev/null; then /opt/confluent/bin/autocons -c > /dev/null; fi
+while ! /usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg; do
+	sleep 1
+done
+if [ ! -z "$autocons" ] && grep "textconsole: true" /etc/confluent/confluent.deploycfg > /dev/null; then /opt/confluent/bin/autocons -c > /dev/null; fi
 umask $oldumask
 new_apikey=$(cat /etc/confluent/confluent.apikey)
 if [ "$new_apikey" != "$confluent_apikey" ]; then