Check if CN already exists only after having asked for user password

Otherwise, with "-p", "--replace-existing" and "--non-interactive", with
CA_PASSWORD set but PASSWORD unset, the existing certificate was revoked but
the new one could'nt be created. Now, PASSWORD must be set or the exisiting
certificate won't be revoked
This commit is contained in:
Jérémy Dubois 2022-04-14 15:18:57 +02:00
parent ba2f553ef4
commit 55e02c6a13
1 changed files with 6 additions and 6 deletions

View File

@ -630,7 +630,7 @@ create() {
# get CN from CSR
cn=$("${OPENSSL_BIN}" req -noout -subject -in "${csr_file}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs)
# check if CN already exist
# check if CN already exists
if [ -f "${crt_file}" ]; then
replace_existing_or_abort "${cn}"
fi
@ -665,11 +665,6 @@ create() {
ovpn_file="${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
pkcs12_file="${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
# check if CN already exist
if [ -f "${crt_file}" ]; then
replace_existing_or_abort "${cn}"
fi
# ask for CA passphrase
ask_ca_password 0
@ -677,6 +672,11 @@ create() {
ask_user_password
fi
# check if CN already exists
if [ -f "${crt_file}" ]; then
replace_existing_or_abort "${cn}"
fi
# generate private key
pass_args=""
if [ -n "${password_file:-}" ]; then