Don't try to regenerate existing ssl certificates

Rerunning stack.sh after some failure unrelated to ssl setup will fail
due to certificates already existing in the CA index. Don't regenerate
them instead. This is a workaround making devstack development easier
rather than something typical user would run into.

Change-Id: Icfd4cb5132c8c9297eb73159e592b7006295184f

lib/tls

@@ -231,31 +231,34 @@ function make_cert {
     local common_name=$3
     local alt_names=$4
 
-    # Generate a signing request
+    # Only generate the certificate if it doesn't exist yet on the disk
-    $OPENSSL req \
+    if [ ! -r "$ca_dir/$cert_name.crt" ]; then
-        -sha1 \
+        # Generate a signing request
-        -newkey rsa \
+        $OPENSSL req \
-        -nodes \
+            -sha1 \
-        -keyout $ca_dir/private/$cert_name.key \
+            -newkey rsa \
-        -out $ca_dir/$cert_name.csr \
+            -nodes \
-        -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
+            -keyout $ca_dir/private/$cert_name.key \
+            -out $ca_dir/$cert_name.csr \
+            -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
 
-    if [[ -z "$alt_names" ]]; then
+        if [[ -z "$alt_names" ]]; then
-        alt_names="DNS:${common_name}"
+            alt_names="DNS:${common_name}"
-    else
+        else
-        alt_names="DNS:${common_name},${alt_names}"
+            alt_names="DNS:${common_name},${alt_names}"
+        fi
+
+        # Sign the request valid for 1 year
+        SUBJECT_ALT_NAME="$alt_names" \
+        $OPENSSL ca -config $ca_dir/signing.conf \
+            -extensions req_extensions \
+            -days 365 \
+            -notext \
+            -in $ca_dir/$cert_name.csr \
+            -out $ca_dir/$cert_name.crt \
+            -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
+            -batch
     fi
-
-    # Sign the request valid for 1 year
-    SUBJECT_ALT_NAME="$alt_names" \
-    $OPENSSL ca -config $ca_dir/signing.conf \
-        -extensions req_extensions \
-        -days 365 \
-        -notext \
-        -in $ca_dir/$cert_name.csr \
-        -out $ca_dir/$cert_name.crt \
-        -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
-        -batch
 }
 
 
@@ -270,23 +273,25 @@ function make_int_CA {
     create_CA_config $ca_dir 'Intermediate CA'
     create_signing_config $ca_dir
 
-    # Create a signing certificate request
+    if [ ! -r "$ca_dir/cacert.pem" ]; then
-    $OPENSSL req -config $ca_dir/ca.conf \
+        # Create a signing certificate request
-        -sha1 \
+        $OPENSSL req -config $ca_dir/ca.conf \
-        -newkey rsa \
+            -sha1 \
-        -nodes \
+            -newkey rsa \
-        -keyout $ca_dir/private/cacert.key \
+            -nodes \
-        -out $ca_dir/cacert.csr \
+            -keyout $ca_dir/private/cacert.key \
-        -outform PEM
+            -out $ca_dir/cacert.csr \
+            -outform PEM
 
-    # Sign the intermediate request valid for 1 year
+        # Sign the intermediate request valid for 1 year
-    $OPENSSL ca -config $signing_ca_dir/ca.conf \
+        $OPENSSL ca -config $signing_ca_dir/ca.conf \
-        -extensions ca_extensions \
+            -extensions ca_extensions \
-        -days 365 \
+            -days 365 \
-        -notext \
+            -notext \
-        -in $ca_dir/cacert.csr \
+            -in $ca_dir/cacert.csr \
-        -out $ca_dir/cacert.pem \
+            -out $ca_dir/cacert.pem \
-        -batch
+            -batch
+    fi
 }
 
 # Make a root CA to sign other CAs