From b3fa778d9139a029d85fa2b5cf00ef8f108b9fed Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Thu, 17 Jun 2021 18:59:53 -0400
Subject: [PATCH] tlsutil: fix a panic

UpdateAutoTLSCA would panic if either of the calls errored, because the read lock was being unlocked
incorrectly.
---
 tlsutil/config.go      |  2 --
 tlsutil/config_test.go | 15 ++++++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/tlsutil/config.go b/tlsutil/config.go
index 63c1d7d9d3..1a26f7113a 100644
--- a/tlsutil/config.go
+++ b/tlsutil/config.go
@@ -268,11 +268,9 @@ func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error {
 
 	pool, err := pool(append(c.manual.caPems, append(c.autoTLS.manualCAPems, connectCAPems...)...))
 	if err != nil {
-		c.lock.RUnlock()
 		return err
 	}
 	if err = c.check(*c.base, pool, c.manual.cert); err != nil {
-		c.lock.RUnlock()
 		return err
 	}
 	c.autoTLS.connectCAPems = connectCAPems
diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go
index 7287d8628b..571ff8113e 100644
--- a/tlsutil/config_test.go
+++ b/tlsutil/config_test.go
@@ -11,9 +11,11 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/hashicorp/consul/sdk/testutil"
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/yamux"
 	"github.com/stretchr/testify/require"
+
+	"github.com/hashicorp/consul/sdk/testutil"
 )
 
 func startRPCTLSServer(config *Config) (net.Conn, chan error) {
@@ -831,6 +833,17 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) {
 	})
 }
 
+func TestConfigurator_UpdateAutoTLSCA_DoesNotPanic(t *testing.T) {
+	config := Config{
+		Domain: "consul",
+	}
+	c, err := NewConfigurator(config, hclog.New(nil))
+	require.NoError(t, err)
+
+	err = c.UpdateAutoTLSCA([]string{"invalid pem"})
+	require.Error(t, err)
+}
+
 func TestConfigurator_VerifyIncomingRPC(t *testing.T) {
 	c := Configurator{base: &Config{
 		VerifyIncomingRPC: true,