From 75d88abbb6f65bb48b87540f5a57bbef5f10fbd5 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeff@hashicorp.com>
Date: Fri, 10 Nov 2017 18:16:50 -0500
Subject: [PATCH] Make -client-cert and -client-key work when the server
 doesn't know (#3568)

about the CA used to sign the cert.

Stop swallowing an error in meta.

Fixes #2946
---
 api/client.go | 7 ++++++-
 meta/meta.go  | 4 +++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/api/client.go b/api/client.go
index 2dc3911be5..684b549f26 100644
--- a/api/client.go
+++ b/api/client.go
@@ -177,7 +177,12 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error {
 	}
 
 	if foundClientCert {
-		clientTLSConfig.Certificates = []tls.Certificate{clientCert}
+		// We use this function to ignore the server's preferential list of
+		// CAs, otherwise any CA used for the cert auth backend must be in the
+		// server's CA pool
+		clientTLSConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			return &clientCert, nil
+		}
 	}
 
 	if t.TLSServerName != "" {
diff --git a/meta/meta.go b/meta/meta.go
index dcb9f7f3d5..b25bfaf462 100644
--- a/meta/meta.go
+++ b/meta/meta.go
@@ -95,7 +95,9 @@ func (m *Meta) Client() (*api.Client, error) {
 			TLSServerName: "",
 			Insecure:      m.flagInsecure,
 		}
-		config.ConfigureTLS(t)
+		if err := config.ConfigureTLS(t); err != nil {
+			return nil, err
+		}
 	}
 
 	// Build the client