can't generate.
-c CLIENT_HOST Default is localhost. Else we ssh to root@CLIENT_HOST.
+-f Force. Proceed even if cert already exists.
-n CONFIG_NAME default is client
-o SERVER_CONFIG_NAME Default is CONFIG_NAME
-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. copied to same path
custom_script=false
script=/etc/openvpn/update-resolv-conf
client_host=$CLIENT_HOST
+force=false
-temp=$(getopt -l help hb:c:n:o:s: "$@") || usage 1
+temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-b) common_name="$2"; shift 2 ;;
-c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
+ -f) force=true; shift ;;
-n) name="$2"; shift 2 ;;
-o) server_name="$2"; shift 2 ;;
-s) custom_script=true; script="$2"; shift 2 ;;
####### end command line parsing and checking ##############
+
+f=/etc/openvpn/client/$name.crt
+
+cert_to_test=$f
+if [[ $client_host ]]; then
+ cert_to_test=$(mktemp)
+ ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+fi
+if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+ echo "$0: cert already exists. exiting early"
+ exit 0
+fi
+
+
# bash or else we get motd spam. note sleep 2, sleep 1 failed.
$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
-f=/etc/openvpn/client/$name.crt
if ! $shell "test -s $f"; then
# if common name is not unique, you get empty file. and if we didn't silence
# build-key, you'd see an error "TXT_DB error number 2"