[PLAT-3188] client certificates are not updated in $HOME/.yugabytedb …

…dir due to which Health check fails.

Summary:
Found that in function getCertificatePaths only one code path updates the certs and other one was not updating it.

Also, returning  empty string for Hashicorp cert type when key is requested. - PLAT-3216

Test Plan:
     Reproduced issue via provided steps and used same to verify.

# Tip: You can add a project as a subscriber or reviewer by writing
# "#projectname" in the appropriate field.

Reviewers: vpatibandla, kkg, hkandala

Reviewed By: hkandala

Subscribers: jenkins-bot, yugaware

Differential Revision: https://phabricator.dev.yugabyte.com/D15651

managed/src/main/java/com/yugabyte/yw/common/NodeManager.java

@@ -414,15 +414,15 @@ private List<String> getCertificatePaths(
               serverKeyPath = String.format("%s/%s", tempStorageDirectory, serverKeyFile);
               certsLocation = CERT_LOCATION_PLATFORM;
 
-              if (taskParam.rootAndClientRootCASame && taskParam.enableClientToNodeEncrypt) {
-                // These client certs are used for node to postgres communication
-                // These are separate from clientRoot certs which are used for server to client
-                // communication These are not required anymore as this is not mandatory now and
-                // can be removed. The code is still here to maintain backward compatibility
+              if (taskParam.enableClientToNodeEncrypt) {
+
+                UUID cliRootCA = taskParam.clientRootCA;
+                if (taskParam.rootAndClientRootCASame) cliRootCA = taskParam.rootCA;
+
                 subcommandStrings.add("--client_cert_path");
-                subcommandStrings.add(CertificateHelper.getClientCertFile(taskParam.rootCA));
+                subcommandStrings.add(CertificateHelper.getClientCertFile(cliRootCA));
                 subcommandStrings.add("--client_key_path");
-                subcommandStrings.add(CertificateHelper.getClientKeyFile(taskParam.rootCA));
+                subcommandStrings.add(CertificateHelper.getClientKeyFile(cliRootCA));
               }
             } catch (IOException e) {
               LOG.error(e.getMessage(), e);
@@ -516,6 +516,18 @@ private List<String> getCertificatePaths(
               serverCertPath = String.format("%s/%s", tempStorageDirectory, serverCertFile);
               serverKeyPath = String.format("%s/%s", tempStorageDirectory, serverKeyFile);
               certsLocation = CERT_LOCATION_PLATFORM;
+
+              if (taskParam.enableClientToNodeEncrypt) {
+
+                UUID cliRootCA = taskParam.clientRootCA;
+                if (taskParam.rootAndClientRootCASame) cliRootCA = taskParam.rootCA;
+
+                subcommandStrings.add("--client_cert_path");
+                subcommandStrings.add(CertificateHelper.getClientCertFile(cliRootCA));
+                subcommandStrings.add("--client_key_path");
+                subcommandStrings.add(CertificateHelper.getClientKeyFile(cliRootCA));
+              }
+
             } catch (IOException e) {
               LOG.error(e.getMessage(), e);
               throw new RuntimeException(e);

managed/src/main/java/com/yugabyte/yw/common/certmgmt/CertificateHelper.java

@@ -545,16 +545,15 @@ public static String getCertPEM(CertificateInfo cert) {
   }
 
   public static String getKeyPEM(CertificateInfo cert) {
+    if (cert.certType == CertConfigType.HashicorpVault) return "";
     String privateKeyPEM = FileUtils.readFileToString(new File(cert.privateKey));
     privateKeyPEM = Base64.getEncoder().encodeToString(privateKeyPEM.getBytes());
     return privateKeyPEM;
   }
 
   public static String getKeyPEM(UUID rootCA) {
     CertificateInfo cert = CertificateInfo.get(rootCA);
-    String privateKeyPEM = FileUtils.readFileToString(new File(cert.privateKey));
-    privateKeyPEM = Base64.getEncoder().encodeToString(privateKeyPEM.getBytes());
-    return privateKeyPEM;
+    return getKeyPEM(cert);
   }
 
   public static String getClientCertFile(UUID rootCA) {

managed/src/main/java/com/yugabyte/yw/controllers/handlers/UpgradeUniverseHandler.java

@@ -147,19 +147,27 @@ public UUID rotateCerts(CertsRotateParams requestParams, Customer customer, Univ
     requestParams.universeUUID = universe.universeUUID;
     requestParams.expectedUniverseVersion = universe.version;
     UserIntent userIntent = universe.getUniverseDetails().getPrimaryCluster().userIntent;
+
     // Generate client certs if rootAndClientRootCASame is true and rootCA is self-signed.
     // This is there only for legacy support, no need if rootCA and clientRootCA are different.
     if (userIntent.enableClientToNodeEncrypt && requestParams.rootAndClientRootCASame) {
-      CertificateInfo rootCert = CertificateInfo.get(requestParams.rootCA);
+
+      UUID cliRootCA = requestParams.clientRootCA;
+      if (requestParams.rootAndClientRootCASame) cliRootCA = requestParams.rootCA;
+
+      CertificateInfo rootCert = CertificateInfo.get(cliRootCA);
+      log.debug(
+          "rotateCerts called with clientRootCA: {}",
+          (cliRootCA != null) ? cliRootCA.toString() : "NULL");
       if (rootCert.certType == CertConfigType.SelfSigned
           || rootCert.certType == CertConfigType.HashicorpVault) {
         CertificateHelper.createClientCertificate(
-            requestParams.rootCA,
+            cliRootCA,
             String.format(
                 CertificateHelper.CERT_PATH,
                 runtimeConfigFactory.staticApplicationConf().getString("yb.storage.path"),
                 customer.uuid.toString(),
-                requestParams.rootCA.toString()),
+                cliRootCA.toString()),
             CertificateHelper.DEFAULT_CLIENT,
             null,
             null);