From 323b726783d6d4ef24a0c9f0d7c77b9e8b152c61 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Fri, 23 Sep 2016 13:33:40 -0700
Subject: [PATCH] Don't make root CA if it exists

To support multinode testing where we just copy the CA to all the
instances don't remake the CA if it already exists.

The end result is that you can trusty a single chain and all your
clients will be happy regardless of which host they are talking to.

Change-Id: I90892e6828a59fa37af717361a2f1eed15a87ae4
---
 lib/tls | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/lib/tls b/lib/tls
index 2c4e18d388..2443d7d31d 100644
--- a/lib/tls
+++ b/lib/tls
@@ -322,15 +322,17 @@ function make_root_CA {
     create_CA_base $ca_dir
     create_CA_config $ca_dir 'Root CA'
 
-    # Create a self-signed certificate valid for 5 years
-    $OPENSSL req -config $ca_dir/ca.conf \
-        -x509 \
-        -nodes \
-        -newkey rsa \
-        -days 21360 \
-        -keyout $ca_dir/private/cacert.key \
-        -out $ca_dir/cacert.pem \
-        -outform PEM
+    if [ ! -r "$ca_dir/cacert.pem" ]; then
+        # Create a self-signed certificate valid for 5 years
+        $OPENSSL req -config $ca_dir/ca.conf \
+            -x509 \
+            -nodes \
+            -newkey rsa \
+            -days 21360 \
+            -keyout $ca_dir/private/cacert.key \
+            -out $ca_dir/cacert.pem \
+            -outform PEM
+    fi
 }
 
 # If a non-system python-requests is installed then it will use the
@@ -507,7 +509,7 @@ function cleanup_CA {
         sudo update-ca-certificates
     fi
 
-    rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT"
+    rm -rf "$INT_CA_DIR" "$ROOT_CA_DIR" "$DEVSTACK_CERT"
 }
 
 # Tell emacs to use shell-script-mode