tlsutil: fix a panic

UpdateAutoTLSCA would panic if either of the calls errored, because the read lock was being unlocked
incorrectly.

tlsutil/config.go

@@ -268,11 +268,9 @@ func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error {
 
 	pool, err := pool(append(c.manual.caPems, append(c.autoTLS.manualCAPems, connectCAPems...)...))
 	if err != nil {
-		c.lock.RUnlock()
 		return err
 	}
 	if err = c.check(*c.base, pool, c.manual.cert); err != nil {
-		c.lock.RUnlock()
 		return err
 	}
 	c.autoTLS.connectCAPems = connectCAPems

tlsutil/config_test.go

@@ -11,9 +11,11 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/hashicorp/consul/sdk/testutil"
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/yamux"
 	"github.com/stretchr/testify/require"
+
+	"github.com/hashicorp/consul/sdk/testutil"
 )
 
 func startRPCTLSServer(config *Config) (net.Conn, chan error) {
@@ -831,6 +833,17 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) {
 	})
 }
 
+func TestConfigurator_UpdateAutoTLSCA_DoesNotPanic(t *testing.T) {
+	config := Config{
+		Domain: "consul",
+	}
+	c, err := NewConfigurator(config, hclog.New(nil))
+	require.NoError(t, err)
+
+	err = c.UpdateAutoTLSCA([]string{"invalid pem"})
+	require.Error(t, err)
+}
+
 func TestConfigurator_VerifyIncomingRPC(t *testing.T) {
 	c := Configurator{base: &Config{
 		VerifyIncomingRPC: true,