Only generate private key and certificate request if ssl enabled.

Generating them unconditionally caused a problem with the init script:
the script required there to be a certificate for the private key if
the private key existed, but we do want to allow TCP-only configurations
and always having a private key prevented that.

Also, give the user advice on how to deal with this problem when it
arises in the init script.

diff --git a/debian/ofp-switch-setup b/debian/ofp-switch-setup
index 74f3f87d511fc800e2163b7a7f6ab366e1118d4c..275ddfca86554401261a2ca34e02941d9e0b0562 100755 (executable)
--- a/debian/ofp-switch-setup
+++ b/debian/ofp-switch-setup
@@ -61,21 +61,7 @@ if (-e $default) {
 }
 
 my $cacert_preverified = -e $cacert_file;
-
-if (! -e $privkey_file) {
-    my $old_umask = umask(077);
-    run_cmd("ofp-pki req $etc/of0 >&2 2>/dev/null");
-    chmod(0644, $req_file) or die "$req_file: chmod: $!\n";
-    umask($old_umask);
-}
-
 my ($req, $req_fingerprint);
-if (! -e $cert_file) {
-    open(REQ, '<', $req_file) or die "$req_file: open: $!\n";
-    $req = join('', <REQ>);
-    close(REQ);
-    $req_fingerprint = sha1_hex($req);
-}
 
 my %options;
 
@@ -202,6 +188,24 @@ my (@states) =
            db_go();
        }
    },
+   sub {
+       return 'skip' if !ssl_enabled();
+
+       if (! -e $privkey_file) {
+           my $old_umask = umask(077);
+           run_cmd("ofp-pki req $etc/of0 >&2 2>/dev/null");
+           chmod(0644, $req_file) or die "$req_file: chmod: $!\n";
+           umask($old_umask);
+       }
+
+       if (! -e $cert_file) {
+           open(REQ, '<', $req_file) or die "$req_file: open: $!\n";
+           $req = join('', <REQ>);
+           close(REQ);
+           $req_fingerprint = sha1_hex($req);
+       }
+       return 'skip';
+   },
    sub {
        return 'skip' if !ssl_enabled();
        return 'skip' if -e $cacert_file && -e $cert_file;

diff --git a/debian/openflow-switch.init b/debian/openflow-switch.init
index 74412d9095a4becfbc71efc77eaa4188675410a5..74ec2699be6f0f531c9522492873018ac03d2011 100755 (executable)
--- a/debian/openflow-switch.init
+++ b/debian/openflow-switch.init
@@ -120,6 +120,9 @@ configure_ssl() {
             echo "$CACERT: CA certificate missing" >&2
         fi
         echo "Run ofp-switch-setup or edit /etc/default/openflow-switch to configure" >&2
+        if test "$MODE" = discovery; then
+            echo "You may also delete or rename $PRIVKEY to disable SSL requirement" >&2
+        fi
         exit 1
     fi
     SSL_OPTS="--private-key=$PRIVKEY --certificate=$CERT --ca-cert=$CACERT"