ensure that expired certs are updated *before* hiera compile.

2 files changed, 3 insertions, 3 deletions

diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb
index c388e5c3..44b97d4a 100644
--- a/lib/leap_cli/commands/compile.rb
+++ b/lib/leap_cli/commands/compile.rb
@@ -62,7 +62,8 @@ module LeapCli
     # but this should not be done if we are not examining all possible nodes.
     #
     def compile_hiera_files(nodes, clean_export)
-      update_compiled_ssh_configs # must come first
+      update_certificates(nodes)  # \ must come first so that output will
+      update_compiled_ssh_configs # / get included in compiled hiera files.
       sanity_check(nodes)
       manager.export_nodes(nodes)
       manager.export_secrets(clean_export)
diff --git a/lib/leap_cli/commands/deploy.rb b/lib/leap_cli/commands/deploy.rb
index c2a70afa..29c3faf5 100644
--- a/lib/leap_cli/commands/deploy.rb
+++ b/lib/leap_cli/commands/deploy.rb
@@ -49,11 +49,10 @@ module LeapCli
         environments.each do |env|
           check_platform_pinning(env, global)
         end
+
         # compile hiera files for all the nodes in every environment that is
         # being deployed and only those environments.
         compile_hiera_files(manager.filter(environments), false)
-        # update server certificates if needed
-        update_certificates(nodes)
 
         ssh_connect(nodes, connect_options(options)) do |ssh|
           ssh.leap.log :checking, 'node' do