Rerunning stack.sh after some failure unrelated to ssl setup will fail
due to certificates already existing in the CA index. Don't regenerate
them instead. This is a workaround making devstack development easier
rather than something typical user would run into.
Change-Id: Icfd4cb5132c8c9297eb73159e592b7006295184f
... | ... |
@@ -231,31 +231,34 @@ function make_cert { |
231 | 231 |
local common_name=$3 |
232 | 232 |
local alt_names=$4 |
233 | 233 |
|
234 |
- # Generate a signing request |
|
235 |
- $OPENSSL req \ |
|
236 |
- -sha1 \ |
|
237 |
- -newkey rsa \ |
|
238 |
- -nodes \ |
|
239 |
- -keyout $ca_dir/private/$cert_name.key \ |
|
240 |
- -out $ca_dir/$cert_name.csr \ |
|
241 |
- -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" |
|
242 |
- |
|
243 |
- if [[ -z "$alt_names" ]]; then |
|
244 |
- alt_names="DNS:${common_name}" |
|
245 |
- else |
|
246 |
- alt_names="DNS:${common_name},${alt_names}" |
|
247 |
- fi |
|
234 |
+ # Only generate the certificate if it doesn't exist yet on the disk |
|
235 |
+ if [ ! -r "$ca_dir/$cert_name.crt" ]; then |
|
236 |
+ # Generate a signing request |
|
237 |
+ $OPENSSL req \ |
|
238 |
+ -sha1 \ |
|
239 |
+ -newkey rsa \ |
|
240 |
+ -nodes \ |
|
241 |
+ -keyout $ca_dir/private/$cert_name.key \ |
|
242 |
+ -out $ca_dir/$cert_name.csr \ |
|
243 |
+ -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" |
|
244 |
+ |
|
245 |
+ if [[ -z "$alt_names" ]]; then |
|
246 |
+ alt_names="DNS:${common_name}" |
|
247 |
+ else |
|
248 |
+ alt_names="DNS:${common_name},${alt_names}" |
|
249 |
+ fi |
|
248 | 250 |
|
249 |
- # Sign the request valid for 1 year |
|
250 |
- SUBJECT_ALT_NAME="$alt_names" \ |
|
251 |
- $OPENSSL ca -config $ca_dir/signing.conf \ |
|
252 |
- -extensions req_extensions \ |
|
253 |
- -days 365 \ |
|
254 |
- -notext \ |
|
255 |
- -in $ca_dir/$cert_name.csr \ |
|
256 |
- -out $ca_dir/$cert_name.crt \ |
|
257 |
- -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \ |
|
258 |
- -batch |
|
251 |
+ # Sign the request valid for 1 year |
|
252 |
+ SUBJECT_ALT_NAME="$alt_names" \ |
|
253 |
+ $OPENSSL ca -config $ca_dir/signing.conf \ |
|
254 |
+ -extensions req_extensions \ |
|
255 |
+ -days 365 \ |
|
256 |
+ -notext \ |
|
257 |
+ -in $ca_dir/$cert_name.csr \ |
|
258 |
+ -out $ca_dir/$cert_name.crt \ |
|
259 |
+ -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \ |
|
260 |
+ -batch |
|
261 |
+ fi |
|
259 | 262 |
} |
260 | 263 |
|
261 | 264 |
|
... | ... |
@@ -270,23 +273,25 @@ function make_int_CA { |
270 | 270 |
create_CA_config $ca_dir 'Intermediate CA' |
271 | 271 |
create_signing_config $ca_dir |
272 | 272 |
|
273 |
- # Create a signing certificate request |
|
274 |
- $OPENSSL req -config $ca_dir/ca.conf \ |
|
275 |
- -sha1 \ |
|
276 |
- -newkey rsa \ |
|
277 |
- -nodes \ |
|
278 |
- -keyout $ca_dir/private/cacert.key \ |
|
279 |
- -out $ca_dir/cacert.csr \ |
|
280 |
- -outform PEM |
|
281 |
- |
|
282 |
- # Sign the intermediate request valid for 1 year |
|
283 |
- $OPENSSL ca -config $signing_ca_dir/ca.conf \ |
|
284 |
- -extensions ca_extensions \ |
|
285 |
- -days 365 \ |
|
286 |
- -notext \ |
|
287 |
- -in $ca_dir/cacert.csr \ |
|
288 |
- -out $ca_dir/cacert.pem \ |
|
289 |
- -batch |
|
273 |
+ if [ ! -r "$ca_dir/cacert.pem" ]; then |
|
274 |
+ # Create a signing certificate request |
|
275 |
+ $OPENSSL req -config $ca_dir/ca.conf \ |
|
276 |
+ -sha1 \ |
|
277 |
+ -newkey rsa \ |
|
278 |
+ -nodes \ |
|
279 |
+ -keyout $ca_dir/private/cacert.key \ |
|
280 |
+ -out $ca_dir/cacert.csr \ |
|
281 |
+ -outform PEM |
|
282 |
+ |
|
283 |
+ # Sign the intermediate request valid for 1 year |
|
284 |
+ $OPENSSL ca -config $signing_ca_dir/ca.conf \ |
|
285 |
+ -extensions ca_extensions \ |
|
286 |
+ -days 365 \ |
|
287 |
+ -notext \ |
|
288 |
+ -in $ca_dir/cacert.csr \ |
|
289 |
+ -out $ca_dir/cacert.pem \ |
|
290 |
+ -batch |
|
291 |
+ fi |
|
290 | 292 |
} |
291 | 293 |
|
292 | 294 |
# Make a root CA to sign other CAs |