OpenSSL does not allow access to custom start
date without the full 'ca' facility, do the
work to set up the full CA and then
backdate certificates.
This does open the way for managed CA if required.
Depending on the options selected/not selected, the
/var/lib/confluent directory may have been initialized
incorrectly. Have all the potential paths begin with
ensuring /var/lib/confluent is correct, and then
use seteuid consistently to take care of the rest.
Given the python2/3 differences, good to have a single run
that returns stdout and stderr.
This should trigger the same behavior as timeout did, but
in a manner consistent between 2 and 3.
Older python did not provide timeout. Keep the timeout
for the modern python that skips select without a timeout,
but try again without timeout to retain compatibility.
Eventlet narrowly targets overriding
select in subprocess, to avoid rewriting adequate functions.
However, subprocess does an 'optimization' to skip
select if there's fewer than 3 pipes to juggle and no timeout specified.
Induce python to always use select
by specifying a very long timeout.
This causes confluent to be able to spawn multiple subprocesses and
not be hung waiting for input.
Hardcoding 0x123 serial number would cause strict clients to reject the
certificate.
While we are still not guaranteeing uniqueness, the chances of a
duplicate are impossibly small.
This allows regenerating TLS cert
without updating boot images.
For example, if ip address changes need a new cert, no
longer should the nodes need new certs to trust
just due to that.
There are scenarios where getqfdn can induce a hang.
The certificate having FQDN isn't that useful anyway,
since confluent never uses it and external use of it
may need more carefully crafted certificate to have
a good chance of matching it anyway.
Also, the chances a user would import our cert as a
CA to something like a browser are low.
