diff options
| author | elijah <elijah@riseup.net> | 2013-01-31 04:31:54 -0800 |
|---|---|---|
| committer | elijah <elijah@riseup.net> | 2013-01-31 04:31:54 -0800 |
| commit | 3c3ed940466eabf9cb56a47614133b5bc90d4ad7 (patch) | |
| tree | 0541b1fe1caee02533de024de99562ba322ccddf | |
| parent | 09649211f3c4b9ffd08af15deabe5916cf78df72 (diff) | |
added /etc/openvpn/ca_bundle.pem in order to allow multiple CA certs to be used.
| -rw-r--r-- | provider_base/test/openvpn/client.ovpn.erb | 6 | ||||
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/keys.pp | 33 | ||||
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 6 |
3 files changed, 29 insertions, 16 deletions
diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb index 96cb7177..a0bdd307 100644 --- a/provider_base/test/openvpn/client.ovpn.erb +++ b/provider_base/test/openvpn/client.ovpn.erb @@ -9,10 +9,8 @@ auth SHA1 cipher AES-128-CBC tls-cipher DHE-RSA-AES128-SHA -<% manager.services['openvpn'].node_list.each_node do |node| -%> -<% unless node.local -%> -<%= "remote #{node.openvpn.gateway_address} 1194 udp"%> -<% end -%> +<% vpn_nodes.each_node do |node| -%> +<%= "remote #{node.openvpn.gateway_address} 1194 udp"%> <% end -%> <ca> diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 78902676..f3c5b423 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -13,13 +13,7 @@ class site_openvpn::keys { } x509::ca { - 'leap_client_ca': - content => $site_openvpn::x509_config['client_ca_cert'], - notify => Service[openvpn]; - } - - x509::ca { - 'leap_openvpn': + 'leap_ca': content => $site_openvpn::x509_config['ca_cert'], notify => Service[openvpn]; } @@ -29,4 +23,29 @@ class site_openvpn::keys { mode => '0644', } + # + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + # + + concat { + '/etc/openvpn/ca_bundle.pem': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; + } + + concat::fragment { + 'client_ca_cert': + content => $site_openvpn::x509_config['client_ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + 'ca_cert': + content => $site_openvpn::x509_config['ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 68387a90..de273b46 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,11 +69,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/usr/local/share/ca-certificates/leap_client_ca.crt', - server => $openvpn_configname; - "ca $openvpn_configname": - key => 'ca', - value => '/usr/local/share/ca-certificates/leap_openvpn.crt', + value => '/etc/openvpn/ca_bundle.pem', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', |