communicator: don't set bastion cert if key is set

When attempting to set the bastion key/certificate for authenticating
with the bastion, we generally fallback to the ones defined by the SSH
configuration.

However, if the bastion SSH key is set, and not the certificate, but the
SSH connection's are, since the conditions are separate, we end-up in a
situation where the bastion's SSH key uses the one from the config, and
the certificate fall backs to the one from the SSH connection.

This in turn fails, as the certificate's public key matches the private
key from the SSH connection, and not the bastion's.

To avoid a situation like this, we only fallback to the SSH connection's
certificate if the bastion's SSH key isn't set.

communicator/config.go

@@ -503,12 +503,12 @@ func (c *Config) prepareSSH(ctx *interpolate.Context) []error {
 
 		if c.SSHBastionPrivateKeyFile == "" && c.SSHPrivateKeyFile != "" {
 			c.SSHBastionPrivateKeyFile = c.SSHPrivateKeyFile
-		}
 
-		if c.SSHBastionCertificateFile == "" && c.SSHCertificateFile != "" {
-			c.SSHBastionCertificateFile = c.SSHCertificateFile
+			// Only try to set the bastion certificate to the ssh certificate if the bastion private key isn't set
+			if c.SSHBastionCertificateFile == "" && c.SSHCertificateFile != "" {
+				c.SSHBastionCertificateFile = c.SSHCertificateFile
+			}
 		}
-
 	}
 
 	if c.SSHProxyHost != "" {