ca: test that original certs from secondary still verify

There's a chance this could flake if the secondary hasn't received the
update yet, but running this test many times doesn't show any flakes
yet.

agent/consul/leader_connect_ca_test.go

@@ -766,6 +766,7 @@ func TestCAManager_Initialize_Vault_WithExternalTrustedCA(t *testing.T) {
 		}
 	})
 
+	var origLeafSecondary string
 	runStep(t, "start secondary DC", func(t *testing.T) {
 		joinWAN(t, serverDC2, serverDC1)
 		testrpc.WaitForActiveCARoot(t, serverDC2.RPC, "dc2", nil)
@@ -778,6 +779,7 @@ func TestCAManager_Initialize_Vault_WithExternalTrustedCA(t *testing.T) {
 
 		leafPEM := getLeafCert(t, codec, roots.TrustDomain, "dc2")
 		verifyLeafCert(t, roots.Roots[0], leafPEM)
+		origLeafSecondary = leafPEM
 	})
 
 	runStep(t, "renew leaf signing CA in primary", func(t *testing.T) {
@@ -850,6 +852,13 @@ func TestCAManager_Initialize_Vault_WithExternalTrustedCA(t *testing.T) {
 
 		// original certs from old root cert should still verify
 		verifyLeafCertWithRoots(t, roots, origLeaf)
+
+		// original certs from secondary should still verify
+		rootsSecondary := structs.IndexedCARoots{}
+		r := &structs.DCSpecificRequest{Datacenter: "dc2"}
+		err = msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", r, &rootsSecondary)
+		require.NoError(t, err)
+		verifyLeafCertWithRoots(t, rootsSecondary, origLeafSecondary)
 	})
 
 	runStep(t, "rotate to a different external root", func(t *testing.T) {
@@ -885,6 +894,13 @@ func TestCAManager_Initialize_Vault_WithExternalTrustedCA(t *testing.T) {
 
 		// original certs from old root cert should still verify
 		verifyLeafCertWithRoots(t, roots, origLeaf)
+
+		// original certs from secondary should still verify
+		rootsSecondary := structs.IndexedCARoots{}
+		r := &structs.DCSpecificRequest{Datacenter: "dc2"}
+		err = msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", r, &rootsSecondary)
+		require.NoError(t, err)
+		verifyLeafCertWithRoots(t, rootsSecondary, origLeafSecondary)
 	})
 }