Don't make root CA if it exists

To support multinode testing where we just copy the CA to all the instances don't remake the CA if it already exists. The end result is that you can trusty a single chain and all your clients will be happy regardless of which host they are talking to. Change-Id: I90892e6828a59fa37af717361a2f1eed15a87ae4
2016-09-23 13:33:40 -07:00 · 2016-09-23 13:33:40 -07:00 · 323b726783
commit 323b726783
parent a2d1848419
1 changed files with 12 additions and 10 deletions
--- a/lib/tls
+++ b/lib/tls
@ -322,15 +322,17 @@ function make_root_CA {
    create_CA_base $ca_dir
    create_CA_config $ca_dir 'Root CA'

-    # Create a self-signed certificate valid for 5 years
-    $OPENSSL req -config $ca_dir/ca.conf \
-        -x509 \
-        -nodes \
-        -newkey rsa \
-        -days 21360 \
-        -keyout $ca_dir/private/cacert.key \
-        -out $ca_dir/cacert.pem \
-        -outform PEM
+    if [ ! -r "$ca_dir/cacert.pem" ]; then
+        # Create a self-signed certificate valid for 5 years
+        $OPENSSL req -config $ca_dir/ca.conf \
+            -x509 \
+            -nodes \
+            -newkey rsa \
+            -days 21360 \
+            -keyout $ca_dir/private/cacert.key \
+            -out $ca_dir/cacert.pem \
+            -outform PEM
+    fi
 }

 # If a non-system python-requests is installed then it will use the
@ -507,7 +509,7 @@ function cleanup_CA {
        sudo update-ca-certificates
    fi

-    rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT"
+    rm -rf "$INT_CA_DIR" "$ROOT_CA_DIR" "$DEVSTACK_CERT"
 }

 # Tell emacs to use shell-script-mode