diff options
| author | varac <varacanero@zeromail.org> | 2013-01-31 15:01:48 +0100 |
|---|---|---|
| committer | varac <varacanero@zeromail.org> | 2013-01-31 15:01:48 +0100 |
| commit | 2585f661c55c3615eb95f660c101af70e9fd04e9 (patch) | |
| tree | 1ea40ca07c18e92263e13dbdc6f70bfe1c8b943e | |
| parent | 24829044b9726f5eb9a8a0ac09f94152b943f9e4 (diff) | |
| parent | efed0453a754ca1c1725192546c10ccc4fb3ebe1 (diff) | |
Merge branch 'develop' of ssh://code.leap.se/leap_platform into develop
| -rw-r--r-- | provider_base/test/openvpn/client.ovpn.erb | 6 | ||||
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/keys.pp | 33 | ||||
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 6 |
3 files changed, 29 insertions, 16 deletions
diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb index 96cb7177..a0bdd307 100644 --- a/provider_base/test/openvpn/client.ovpn.erb +++ b/provider_base/test/openvpn/client.ovpn.erb @@ -9,10 +9,8 @@ auth SHA1 cipher AES-128-CBC tls-cipher DHE-RSA-AES128-SHA -<% manager.services['openvpn'].node_list.each_node do |node| -%> -<% unless node.local -%> -<%= "remote #{node.openvpn.gateway_address} 1194 udp"%> -<% end -%> +<% vpn_nodes.each_node do |node| -%> +<%= "remote #{node.openvpn.gateway_address} 1194 udp"%> <% end -%> <ca> diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 78902676..f3c5b423 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -13,13 +13,7 @@ class site_openvpn::keys { } x509::ca { - 'leap_client_ca': - content => $site_openvpn::x509_config['client_ca_cert'], - notify => Service[openvpn]; - } - - x509::ca { - 'leap_openvpn': + 'leap_ca': content => $site_openvpn::x509_config['ca_cert'], notify => Service[openvpn]; } @@ -29,4 +23,29 @@ class site_openvpn::keys { mode => '0644', } + # + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + # + + concat { + '/etc/openvpn/ca_bundle.pem': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; + } + + concat::fragment { + 'client_ca_cert': + content => $site_openvpn::x509_config['client_ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + 'ca_cert': + content => $site_openvpn::x509_config['ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 68387a90..de273b46 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,11 +69,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/usr/local/share/ca-certificates/leap_client_ca.crt', - server => $openvpn_configname; - "ca $openvpn_configname": - key => 'ca', - value => '/usr/local/share/ca-certificates/leap_openvpn.crt', + value => '/etc/openvpn/ca_bundle.pem', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', |