[Backpot 2.8] Platform: Update certs to use certLabel as CN

Summary: When CNs are same for certs while rotating it will cause error in verifying signature This was noticed in 2.4 backport, but 2.8 and master it was working fine. But migrating those changes to keep it consistent and fail proof Test Plan: Tested locally self signed cert rotation Reviewers: arnav Reviewed By: arnav Subscribers: jenkins-bot, yugaware Differential Revision: https://phabricator.dev.yugabyte.com/D14019
yugabyte · Nov 18, 2021 · e632b67 · e632b67
1 parent 67e9360
commit e632b67
Showing 1 changed file with 18 additions and 19 deletions.
diff --git a/managed/src/main/java/com/yugabyte/yw/common/CertificateHelper.java b/managed/src/main/java/com/yugabyte/yw/common/CertificateHelper.java
@@ -92,16 +92,32 @@ public class CertificateHelper {
 
   public static UUID createRootCA(String nodePrefix, UUID customerUUID, String storagePath) {
     try {
-      KeyPair keyPair = getKeyPairObject();
+      // Default the cert label with node prefix.
+      // If cert with the label already exists append number
+      String certLabel = nodePrefix;
+      CertificateInfo.Type certType = CertificateInfo.Type.SelfSigned;
+      List<CertificateInfo> certificateInfoList =
+          CertificateInfo.getWhereLabelStartsWith(nodePrefix, certType);
+      if (!certificateInfoList.isEmpty()) {
+        certificateInfoList.sort(Comparator.comparing(a -> a.label, Comparator.reverseOrder()));
+        String[] labelArray = certificateInfoList.get(0).label.split("~");
+        int lastCount = 0;
+        try {
+          lastCount = Integer.parseInt(labelArray[labelArray.length - 1]);
+        } catch (NumberFormatException ignored) {
+        }
+        certLabel = nodePrefix + "~" + (++lastCount);
+      }
 
+      KeyPair keyPair = getKeyPairObject();
       UUID rootCA_UUID = UUID.randomUUID();
       Calendar cal = Calendar.getInstance();
       Date certStart = cal.getTime();
       cal.add(Calendar.YEAR, 4);
       Date certExpiry = cal.getTime();
       X500Name subject =
           new X500NameBuilder(BCStyle.INSTANCE)
-              .addRDN(BCStyle.CN, nodePrefix)
+              .addRDN(BCStyle.CN, certLabel)
               .addRDN(BCStyle.O, "example.com")
               .build();
       BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
@@ -130,23 +146,6 @@ public static UUID createRootCA(String nodePrefix, UUID customerUUID, String sto
       String keyPath =
           String.format(CERT_PATH + "/ca.key.pem", storagePath, customerUUID, rootCA_UUID);
       writeKeyFileContentToKeyPath(keyPair.getPrivate(), keyPath);
-      CertificateInfo.Type certType = CertificateInfo.Type.SelfSigned;
-
-      // Default the cert label with node prefix.
-      // If cert with the label already exists append number
-      String certLabel = nodePrefix;
-      List<CertificateInfo> certificateInfoList =
-          CertificateInfo.getWhereLabelStartsWith(nodePrefix, certType);
-      if (!certificateInfoList.isEmpty()) {
-        certificateInfoList.sort(Comparator.comparing(a -> a.label, Comparator.reverseOrder()));
-        String[] labelArray = certificateInfoList.get(0).label.split("~");
-        int lastCount = 0;
-        try {
-          lastCount = Integer.parseInt(labelArray[labelArray.length - 1]);
-        } catch (NumberFormatException ignored) {
-        }
-        certLabel = nodePrefix + "~" + (++lastCount);
-      }
 
       LOG.info(
           "Generated self signed cert label {} uuid {} of type {} for customer {} at paths {}, {}",