Move certificate setup earlier in deployment

Currently the x509 certificate setup is done after all the
openstack services have been deployed. This is OK because
none of the services require that the x509 certs exist
when they are being deployed. With the integration of TLS
into the nova novnc proxy (and later spice & serial proxy)
service, x509 certs will need to exist before Nova is
deployed.

The CA setup must thus be moved earlier in the devstack
deployment flow, prior to the setup of any services. One
part of the CA setup, however, fixes up the global cert
bundle locations and this can only be done after the
python requests module is install, thus must remain in
its current location.

Change-Id: Idcd264fb73bb88dc2f4280c53c013dfe4364afff

lib/tls

@@ -201,7 +201,6 @@ subjectAltName          = \$ENV::SUBJECT_ALT_NAME
 # Create root and intermediate CAs
 # init_CA
 function init_CA {
-    fix_system_ca_bundle_path
     # Ensure CAs are built
     make_root_CA $ROOT_CA_DIR
     make_int_CA $INT_CA_DIR $ROOT_CA_DIR

stack.sh

@@ -809,6 +809,13 @@ if is_service_enabled cinder nova; then
     install_os_brick
 fi
 
+# Setup TLS certs
+if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
+    configure_CA
+    init_CA
+    init_cert
+fi
+
 # Install middleware
 install_keystonemiddleware
 
@@ -881,14 +888,9 @@ if is_service_enabled heat; then
 fi
 
 if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
-    configure_CA
-    init_CA
-    init_cert
-    # Add name to ``/etc/hosts``.
-    # Don't be naive and add to existing line!
+    fix_system_ca_bundle_path
 fi
 
-
 # Extras Install
 # --------------
 

tools/make_cert.sh

@@ -45,6 +45,7 @@ DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
 
 # Make sure the CA is set up
 configure_CA
+fix_system_ca_bundle_path
 init_CA
 
 # Create the server cert