CA-399260: Keep both new and old certs during the switchover (#6223)

In host-refresh-server-certificate, host generates and applies new pool
certificate after stunnel restart. There is 5s that other hosts don't
trust the new certificate. Then operations related with xapi:pool SNI
tls connection will fail. Both the old and new certificates shall be
trusted during the switchover to avoid this. At the end of the refresh
procedure, remove_stale_cert will rename the new pem to pem and update
ca bundle.

Author: lindig

scripts/update-ca-bundle.sh

@@ -11,9 +11,16 @@ regen_bundle () {
 
   mkdir -p "$CERTS_DIR"
   CERTS=$(find "$CERTS_DIR" -not -name '*.new.pem' -name '*.pem')
+  NEW_CERTS=$(find "$CERTS_DIR" -name '*.new.pem')
 
   rm -f "$BUNDLE.tmp"
   touch "$BUNDLE.tmp"
+  for NEW_CERT in $NEW_CERTS; do
+    # If cat new cert command fails, do not error and exit, just skip it
+    if cat "$NEW_CERT" >> "$BUNDLE.tmp"; then
+      echo "" >> "$BUNDLE.tmp"
+    fi
+  done
   for CERT in $CERTS; do
     cat "$CERT" >> "$BUNDLE.tmp"
     echo ""     >> "$BUNDLE.tmp"