From cc072fd32f72d4f05257d0b0c8c7c41fa1178f52 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Wed, 31 May 2017 20:27:59 -0700
Subject: [PATCH] Run devstack CA and cert setup early

Previously apache was configured and restarted before we configured
the CA and certs. In most cases this is fine because those specific
vhosts didn't use tls. However, if you had previously run devstack
and had leftover vhosts and an unconfigured CA or certs devstack would
fail.

This is a small corner case, but its simple to address by moving CA and
cert setup up in stack.sh to before we do anything related to web
servers.

Change-Id: I31dbaf9471088b9faff26c7b790da6f6feebb2d5
---
 stack.sh | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/stack.sh b/stack.sh
index dfc9d24f51..0d7e623c78 100755
--- a/stack.sh
+++ b/stack.sh
@@ -833,6 +833,18 @@ if is_service_enabled etcd3; then
     install_etcd3
 fi
 
+# Setup TLS certs
+# ---------------
+
+# Do this early, before any webservers are set up to ensure
+# we don't run into problems with missing certs when apache
+# is restarted.
+if is_service_enabled tls-proxy; then
+    configure_CA
+    init_CA
+    init_cert
+fi
+
 # Check Out and Install Source
 # ----------------------------
 
@@ -857,13 +869,6 @@ if is_service_enabled neutron nova horizon; then
     install_neutronclient
 fi
 
-# Setup TLS certs
-if is_service_enabled tls-proxy; then
-    configure_CA
-    init_CA
-    init_cert
-fi
-
 # Install middleware
 install_keystonemiddleware