update config even if we already have cert

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index ec68484274dfe85bef00136fc6bbada7220180c4..74211784f79e62c3a492fadae04d608a6c241069 100755 (executable)
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -106,37 +106,6 @@ host=$1
 
 f=/etc/openvpn/client/$name.crt
 
-cert_to_test=$f
-if [[ $client_host ]]; then
-  cert_to_test=$(mktemp)
-  ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
-fi
-if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
-  echo "$0: cert already exists. exiting early"
-  exit 0
-fi
-
-
-# bash or else we get motd spam. note sleep 2, sleep 1 failed.
-$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
-if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
-    |  $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
-  echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
-  ssh root@$host cat /tmp/vpn-mk-client-cert.log
-  echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
-  exit 1
-fi
-
-port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
-
-
-if ! $shell "test -s $f"; then
-  # if common name is not unique, you get empty file. and if we didn't silence
-  # build-key, you'd see an error "TXT_DB error number 2"
-  echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
-  exit 1
-fi
-
 $shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
 # From example config, from debian stretch to buster
 client
@@ -189,3 +158,35 @@ EOF
 fi
 
 $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
+
+
+cert_to_test=$f
+if [[ $client_host ]]; then
+  cert_to_test=$(mktemp)
+  ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+fi
+if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+  echo "$0: cert already exists. exiting early"
+  exit 0
+fi
+
+
+# bash or else we get motd spam. note sleep 2, sleep 1 failed.
+$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
+if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
+    |  $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
+  echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
+  ssh root@$host cat /tmp/vpn-mk-client-cert.log
+  echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
+  exit 1
+fi
+
+port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
+
+
+if ! $shell "test -s $f"; then
+  # if common name is not unique, you get empty file. and if we didn't silence
+  # build-key, you'd see an error "TXT_DB error number 2"
+  echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+  exit 1
+fi