canonical · OddBloke · Jul 15, 2020 · Jul 8, 2020 · Jul 9, 2020 · Jul 14, 2020
diff --git a/cloudinit/config/cc_ca_certs.py b/cloudinit/config/cc_ca_certs.py
@@ -67,13 +67,19 @@ def add_ca_certs(certs):
         cert_file_contents = "\n".join([str(c) for c in certs])
         util.write_file(CA_CERT_FULL_PATH, cert_file_contents, mode=0o644)
 
-        # Append cert filename to CA_CERT_CONFIG file.
-        # We have to strip the content because blank lines in the file
-        # causes subsequent entries to be ignored. (LP: #1077020)
-        orig = util.load_file(CA_CERT_CONFIG)
-        cur_cont = '\n'.join([line for line in orig.splitlines()
-                              if line != CA_CERT_FILENAME])
-        out = "%s\n%s\n" % (cur_cont.rstrip(), CA_CERT_FILENAME)
+        if os.stat(CA_CERT_CONFIG).st_size == 0:
+            # If the CA_CERT_CONFIG file is empty (i.e. all existing
+            # CA certs have been deleted) then simply output a single
+            # line with the cloud-init cert filename.
+            out = "%s\n" % CA_CERT_FILENAME
+        else:
+            # Append cert filename to CA_CERT_CONFIG file.
+            # We have to strip the content because blank lines in the file
+            # causes subsequent entries to be ignored. (LP: #1077020)
+            orig = util.load_file(CA_CERT_CONFIG)
+            cur_cont = '\n'.join([line for line in orig.splitlines()
+                                  if line != CA_CERT_FILENAME])
+            out = "%s\n%s\n" % (cur_cont.rstrip(), CA_CERT_FILENAME)
         util.write_file(CA_CERT_CONFIG, out, omode="wb")
 
 

diff --git a/tests/unittests/test_handler/test_handler_ca_certs.py b/tests/unittests/test_handler/test_handler_ca_certs.py
@@ -201,6 +201,28 @@ def test_single_cert_no_trailing_cr(self):
 
             mock_load.assert_called_once_with("/etc/ca-certificates.conf")
 
+    def test_single_cert_to_empty_existing_ca_file(self):
+        """Test adding a single certificate to the trusted CAs
+        when existing ca-certificates.conf is empty"""
+        cert = "CERT1\nLINE2\nLINE3"
+
+        expected = "cloud-init-ca-certs.crt\n"
+
+        with ExitStack() as mocks:
+            mock_write = mocks.enter_context(
+                mock.patch.object(util, 'write_file'))
-            mock_write = mocks.enter_context(
-                mock.patch.object(util, 'write_file'))
+            mock_write = mocks.enter_context(
+                mock.patch.object(util, 'write_file', autospec=True))
-            mock_write = mocks.enter_context(
-                mock.patch.object(util, 'write_file'))
+            mock_write = mocks.enter_context(
+                mock.patch.object(util, 'write_file', autospec=True))
+            mock_stat = mocks.enter_context(
+                mock.patch("cloudinit.config.cc_ca_certs.os.stat")
+            )
+            mock_stat.return_value.st_size = 0
+
+            cc_ca_certs.add_ca_certs([cert])
+
+            mock_write.assert_has_calls([
+                mock.call("/usr/share/ca-certificates/cloud-init-ca-certs.crt",
+                          cert, mode=0o644),
+                mock.call("/etc/ca-certificates.conf", expected, omode="wb")])
+
     def test_multiple_certs(self):
         """Test adding multiple certificates to the trusted CAs."""
         certs = ["CERT1\nLINE2\nLINE3", "CERT2\nLINE2\nLINE3"]