renew: hande more error cases

cmd/dkl-local-server/secrets.go

@@ -3,7 +3,6 @@ package main
 import (
 	"crypto"
 	"crypto/rand"
-	"crypto/x509"
 	"encoding/base32"
 	"encoding/json"
 	"errors"
@@ -221,19 +220,25 @@ func (sd *SecretData) RenewCACert(cluster, name string) (err error) {
 
 	ca := cs.CAs[name]
 
-	var cert *x509.Certificate
-	cert, err = helpers.ParseCertificatePEM(ca.Cert)
-	if err != nil {
-		return
-	}
-
 	var signer crypto.Signer
 	signer, err = helpers.ParsePrivateKeyPEM(ca.Key)
 	if err != nil {
 		return
 	}
 
-	newCert, err := initca.RenewFromSigner(cert, signer)
+	var newCert []byte
+
+	cert, err := helpers.ParseCertificatePEM(ca.Cert)
+	if err == nil {
+		newCert, err = initca.RenewFromSigner(cert, signer)
+	}
+
+	if err != nil {
+		// failed to load or renew, create a new cert from the existing key
+		req := newCACertReq()
+		newCert, _, err = initca.NewFromSigner(req, signer)
+	}
+
 	if err != nil {
 		return
 	}
@@ -247,6 +252,22 @@ func (sd *SecretData) RenewCACert(cluster, name string) (err error) {
 	return
 }
 
+func newCACertReq() *csr.CertificateRequest {
+	return &csr.CertificateRequest{
+		CN: "Direktil Local Server",
+		KeyRequest: &csr.KeyRequest{
+			A: "ecdsa",
+			S: 521, // 256, 384, 521
+		},
+		Names: []csr.Name{
+			{
+				C: "NC",
+				O: "novit.nc",
+			},
+		},
+	}
+}
+
 func (sd *SecretData) CA(cluster, name string) (ca *CA, err error) {
 
 	defer func() {
@@ -277,19 +298,7 @@ func (sd *SecretData) CA(cluster, name string) (ca *CA, err error) {
 
 	log.Info("secret-data: new CA in cluster ", cluster, ": ", name)
 
-	req := &csr.CertificateRequest{
+	req := newCACertReq()
-		CN: "Direktil Local Server",
-		KeyRequest: &csr.KeyRequest{
-			A: "ecdsa",
-			S: 521, // 256, 384, 521
-		},
-		Names: []csr.Name{
-			{
-				C: "NC",
-				O: "novit.nc",
-			},
-		},
-	}
 
 	cert, _, key, err := initca.New(req)
 	if err != nil {