Skip to content

Commit 2f69c6b

Browse files
committed
Don't try to regenerate existing ssl certificates
Rerunning stack.sh after some failure unrelated to ssl setup will fail due to certificates already existing in the CA index. Don't regenerate them instead. This is a workaround making devstack development easier rather than something typical user would run into. Change-Id: Icfd4cb5132c8c9297eb73159e592b7006295184f
1 parent c6dc3de commit 2f69c6b

1 file changed

Lines changed: 46 additions & 41 deletions

File tree

lib/tls

Lines changed: 46 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -231,31 +231,34 @@ function make_cert {
231231
local common_name=$3
232232
local alt_names=$4
233233

234-
# Generate a signing request
235-
$OPENSSL req \
236-
-sha1 \
237-
-newkey rsa \
238-
-nodes \
239-
-keyout $ca_dir/private/$cert_name.key \
240-
-out $ca_dir/$cert_name.csr \
241-
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
242-
243-
if [[ -z "$alt_names" ]]; then
244-
alt_names="DNS:${common_name}"
245-
else
246-
alt_names="DNS:${common_name},${alt_names}"
247-
fi
234+
# Only generate the certificate if it doesn't exist yet on the disk
235+
if [ ! -r "$ca_dir/$cert_name.crt" ]; then
236+
# Generate a signing request
237+
$OPENSSL req \
238+
-sha1 \
239+
-newkey rsa \
240+
-nodes \
241+
-keyout $ca_dir/private/$cert_name.key \
242+
-out $ca_dir/$cert_name.csr \
243+
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
244+
245+
if [[ -z "$alt_names" ]]; then
246+
alt_names="DNS:${common_name}"
247+
else
248+
alt_names="DNS:${common_name},${alt_names}"
249+
fi
248250

249-
# Sign the request valid for 1 year
250-
SUBJECT_ALT_NAME="$alt_names" \
251-
$OPENSSL ca -config $ca_dir/signing.conf \
252-
-extensions req_extensions \
253-
-days 365 \
254-
-notext \
255-
-in $ca_dir/$cert_name.csr \
256-
-out $ca_dir/$cert_name.crt \
257-
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
258-
-batch
251+
# Sign the request valid for 1 year
252+
SUBJECT_ALT_NAME="$alt_names" \
253+
$OPENSSL ca -config $ca_dir/signing.conf \
254+
-extensions req_extensions \
255+
-days 365 \
256+
-notext \
257+
-in $ca_dir/$cert_name.csr \
258+
-out $ca_dir/$cert_name.crt \
259+
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
260+
-batch
261+
fi
259262
}
260263

261264

@@ -270,23 +273,25 @@ function make_int_CA {
270273
create_CA_config $ca_dir 'Intermediate CA'
271274
create_signing_config $ca_dir
272275

273-
# Create a signing certificate request
274-
$OPENSSL req -config $ca_dir/ca.conf \
275-
-sha1 \
276-
-newkey rsa \
277-
-nodes \
278-
-keyout $ca_dir/private/cacert.key \
279-
-out $ca_dir/cacert.csr \
280-
-outform PEM
281-
282-
# Sign the intermediate request valid for 1 year
283-
$OPENSSL ca -config $signing_ca_dir/ca.conf \
284-
-extensions ca_extensions \
285-
-days 365 \
286-
-notext \
287-
-in $ca_dir/cacert.csr \
288-
-out $ca_dir/cacert.pem \
289-
-batch
276+
if [ ! -r "$ca_dir/cacert.pem" ]; then
277+
# Create a signing certificate request
278+
$OPENSSL req -config $ca_dir/ca.conf \
279+
-sha1 \
280+
-newkey rsa \
281+
-nodes \
282+
-keyout $ca_dir/private/cacert.key \
283+
-out $ca_dir/cacert.csr \
284+
-outform PEM
285+
286+
# Sign the intermediate request valid for 1 year
287+
$OPENSSL ca -config $signing_ca_dir/ca.conf \
288+
-extensions ca_extensions \
289+
-days 365 \
290+
-notext \
291+
-in $ca_dir/cacert.csr \
292+
-out $ca_dir/cacert.pem \
293+
-batch
294+
fi
290295
}
291296

292297
# Make a root CA to sign other CAs

0 commit comments

Comments
 (0)