+if ! $rel; then
+ $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
+fi
+
+cert_to_test=$f
+if [[ $client_host ]]; then
+ cert_to_test=$(mktemp)
+ ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+fi
+if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+ if [[ $client_host ]]; then
+ prefix="$shell"
+ fi
+ if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then
+ echo "$0: cert already exists. exiting early"
+ fi
+ exit 0
+fi
+
+if ! $rel; then
+ dirarg="-C $keydir"
+fi
+
+# bash or else we get motd spam. note sleep 2, sleep 1 failed.
+$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
+hostssh="ssh $arg root@$host"
+if ! $hostssh bash -s -- $server_name $common_name < $this_dir/client-cert-helper \
+ | $shell "id -u | grep -xF 0 || s=sudo; \$s tar xzv $dirarg"; then
+ echo $hostssh cat /tmp/vpn-mk-client-cert.log:
+ $hostssh cat /tmp/vpn-mk-client-cert.log
+ echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
+ exit 1
+fi
+
+
+
+if ! $shell "test -s $f"; then
+ # if common name is not unique, you get empty file. and if we didn't silence
+ # build-key, you'd see an error "TXT_DB error number 2"
+ echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+ exit 1
+fi