From c30b8def82c14e161c0242307e117697e24e1ece Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 14 Nov 2016 13:23:14 +0000
Subject: [PATCH] Move certificate setup earlier in deployment

Currently the x509 certificate setup is done after all the
openstack services have been deployed. This is OK because
none of the services require that the x509 certs exist
when they are being deployed. With the integration of TLS
into the nova novnc proxy (and later spice & serial proxy)
service, x509 certs will need to exist before Nova is
deployed.

The CA setup must thus be moved earlier in the devstack
deployment flow, prior to the setup of any services. One
part of the CA setup, however, fixes up the global cert
bundle locations and this can only be done after the
python requests module is install, thus must remain in
its current location.

Change-Id: Idcd264fb73bb88dc2f4280c53c013dfe4364afff
---
 lib/tls            |  1 -
 stack.sh           | 14 ++++++++------
 tools/make_cert.sh |  1 +
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/lib/tls b/lib/tls
index 40f3e81438..14cdf19d8e 100644
--- a/lib/tls
+++ b/lib/tls
@@ -201,7 +201,6 @@ subjectAltName          = \$ENV::SUBJECT_ALT_NAME
 # Create root and intermediate CAs
 # init_CA
 function init_CA {
-    fix_system_ca_bundle_path
     # Ensure CAs are built
     make_root_CA $ROOT_CA_DIR
     make_int_CA $INT_CA_DIR $ROOT_CA_DIR
diff --git a/stack.sh b/stack.sh
index 54485b60b9..f20c9d9ae3 100755
--- a/stack.sh
+++ b/stack.sh
@@ -809,6 +809,13 @@ if is_service_enabled cinder nova; then
     install_os_brick
 fi
 
+# Setup TLS certs
+if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
+    configure_CA
+    init_CA
+    init_cert
+fi
+
 # Install middleware
 install_keystonemiddleware
 
@@ -881,14 +888,9 @@ if is_service_enabled heat; then
 fi
 
 if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
-    configure_CA
-    init_CA
-    init_cert
-    # Add name to ``/etc/hosts``.
-    # Don't be naive and add to existing line!
+    fix_system_ca_bundle_path
 fi
 
-
 # Extras Install
 # --------------
 
diff --git a/tools/make_cert.sh b/tools/make_cert.sh
index 2628b40524..e91464fc0f 100755
--- a/tools/make_cert.sh
+++ b/tools/make_cert.sh
@@ -45,6 +45,7 @@ DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
 
 # Make sure the CA is set up
 configure_CA
+fix_system_ca_bundle_path
 init_CA
 
 # Create the server cert