From cc9a81103bad1fcfd8a3af213d773b328df5e4d2 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 4 Nov 2025 15:51:22 -0500
Subject: [PATCH] Do not autosign if the corresponding cryptography is
 unavailable

We use cryptography verification, but it's relatively new.

For compatibility, we fall back to fingerprint only.

This is pretty bad when inflicted on
unsuspecting users on autosign,
so skip autosign if cert validation
would break.
---
 confluent_server/confluent/discovery/core.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/confluent_server/confluent/discovery/core.py b/confluent_server/confluent/discovery/core.py
index 1e7aed8d..c8018110 100644
--- a/confluent_server/confluent/discovery/core.py
+++ b/confluent_server/confluent/discovery/core.py
@@ -107,6 +107,11 @@ try:
 except NameError:
     unicode = str
 
+try:
+    import cryptography.x509.verification as verification
+except ImportError:
+    verification = None
+
 class nesteddict(dict):
 
     def __missing__(self, key):
@@ -1486,7 +1491,7 @@ def discover_node(cfg, handler, info, nodename, manual):
                     subprocess.check_call(['/opt/confluent/bin/nodeconfig', nodename] + nodeconfig)
                     log.log({'info': 'Configured {0} ({1})'.format(nodename,
                                                           handler.devname)})
-            if handler.current_cert_self_signed():
+            if verification and handler.current_cert_self_signed():
                 handler.autosign_certificate()
 
         info['discostatus'] = 'discovered'