move test earlier to avoid unneeded ssh

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index 014008dbe21a5b87be52bc3a36ca703a918fe55e..46d9dbadba45ab80227986cec3b11422c9338324 100755 (executable)
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -127,8 +127,25 @@ else
   keydir=/etc/openvpn/client
 fi
 
-port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
 
+if ! $force; then
+  cert_to_test=$f
+  if [[ $client_host ]]; then
+    cert_to_test=$(mktemp)
+    ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+  fi
+  if openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+    if [[ $client_host ]]; then
+      prefix="$shell"
+    fi
+    if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then
+      echo "$0: cert already exists. exiting early"
+    fi
+    exit 0
+  fi
+fi
+
+port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
 
 $shell "dd of=$keydir/$name.conf" <<EOF
 # From example config, from debian stretch to buster
@@ -185,21 +202,6 @@ if ! $rel; then
   $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
 fi
 
-cert_to_test=$f
-if [[ $client_host ]]; then
-  cert_to_test=$(mktemp)
-  ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
-fi
-if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
-  if [[ $client_host ]]; then
-    prefix="$shell"
-  fi
-  if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then
-    echo "$0: cert already exists. exiting early"
-  fi
-  exit 0
-fi
-
 if ! $rel; then
   dirarg="-C $keydir"
 fi