-cat > /etc/openvpn/client/$name.conf <<EOF
-# From example config, from debian stretch as of 1-2017
+# bash or else we get motd spam. note sleep 2, sleep 1 failed.
+if ! ssh root@$host bash -s -- $name $common_name < client-cert-helper \
+ | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
+ echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
+ ssh root@$host cat /tmp/vpn-mk-client-cert.log
+ exit 1
+fi
+
+
+f=/etc/openvpn/client/$name.crt
+if ! $shell "test -s $f"; then
+ # if common name is not unique, you get empty file. and if we didn't silence
+ # build-key, you'd see an error "TXT_DB error number 2"
+ echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+ exit 1
+fi
+
+$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
+# From example config, from debian stretch to buster