Merge branch 'feature/3832_Unify_x509_certs,_keys_and_ca' into develop

7 files changed, 25 insertions, 27 deletions

diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 25ccf4f0..f999dd23 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -12,8 +12,8 @@
   "x509": {
     "use": true,
     "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
-    "client_ca_cert": "= file_path :client_ca_cert",
-    "client_ca_key": "= file_path :client_ca_key",
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
     "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
     "commercial_key": "= file [:commercial_key, domain.full_suffix]",
     "commercial_ca_cert": "= try_file :commercial_ca_cert"
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index ee61e5ab..e47f047b 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -45,8 +45,8 @@
   "x509": {
     "use": true,
     "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
-    "client_ca_cert": "= file_path :client_ca_cert",
-    "client_ca_key": "= file_path :client_ca_key",
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
     "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
     "commercial_key": "= file [:commercial_key, domain.full_suffix]",
     "commercial_ca_cert": "= try_file :commercial_ca_cert"
diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp
index a4657457..008a4e1f 100644
--- a/puppet/modules/site_config/manifests/params.pp
+++ b/puppet/modules/site_config/manifests/params.pp
@@ -23,6 +23,8 @@ class site_config::params {
     fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json")
   }
 
-  $ca_name   = 'leap_ca'
-  $cert_name = 'leap'
+  $ca_name          = 'leap_ca'
+  $client_ca_name   = 'leap_client_ca'
+  $ca_bundle_name   = 'leap_ca_bundle'
+  $cert_name        = 'leap'
 }
diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp
index 879285dd..8eca97e7 100644
--- a/puppet/modules/site_config/manifests/x509.pp
+++ b/puppet/modules/site_config/manifests/x509.pp
@@ -4,6 +4,7 @@ class site_config::x509 {
   $key       = $x509['key']
   $cert      = $x509['cert']
   $ca        = $x509['ca_cert']
+  $client_ca = $x509['client_ca_cert']
 
   x509::key { $site_config::params::cert_name:
     content => $key
@@ -16,4 +17,12 @@ class site_config::x509 {
   x509::ca { $site_config::params::ca_name:
     content => $ca
   }
+
+  x509::ca { $site_config::params::client_ca_name:
+    content => $client_ca
+  }
+
+  x509::ca { $site_config::params::ca_bundle_name:
+    content => "${ca}${client_ca}"
+  }
 }
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 5ba9812f..befeaef7 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -80,15 +80,15 @@ define site_openvpn::server_config(
   openvpn::option {
     "ca ${openvpn_configname}":
         key     => 'ca',
-        value   => '/etc/openvpn/ca_bundle.pem',
+        value   => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",
         server  => $openvpn_configname;
     "cert ${openvpn_configname}":
         key     => 'cert',
-        value   => '/etc/x509/certs/leap_openvpn.crt',
+        value   => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
         server  => $openvpn_configname;
     "key ${openvpn_configname}":
         key     => 'key',
-        value   => '/etc/x509/keys/leap_openvpn.key',
+        value   => "${x509::variables::keys}/${site_config::params::cert_name}.key",
         server  => $openvpn_configname;
     "dh ${openvpn_configname}":
         key     => 'dh',
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 2d8f3db5..4a7d66ed 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -44,7 +44,6 @@ submission inet n        -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
   -o smtpd_helo_restrictions=\$submission_helo_restrictions",
-    require             => [
-      X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ]
+    require             => Class['Site_config::X509']
   }
 }
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
index 8c9da9db..34df72bb 100644
--- a/puppet/modules/site_postfix/manifests/mx/tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -1,26 +1,14 @@
 class site_postfix::mx::tls {
 
-  $x509                = hiera('x509')
-  $key                 = $x509['key']
-  $cert                = $x509['cert']
-  $client_ca           = $x509['client_ca_cert']
-
   include x509::variables
-  $cert_name = hiera('name')
-  $cert_path = "${x509::variables::certs}/${cert_name}.crt"
-  $key_path  = "${x509::variables::keys}/${cert_name}.key"
-
-  x509::key { $cert_name:
-    content => $key,
-  }
+  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt"
+  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
 
-  x509::cert { $cert_name:
-    content => $cert,
-  }
 
   postfix::config {
     'smtpd_use_tls':        value  => 'yes';
-    'smtpd_tls_CAfile':     value  => $client_ca;
+    'smtpd_tls_CAfile':     value  => $ca_path;
     'smtpd_tls_cert_file':  value  => $cert_path;
     'smtpd_tls_key_file':   value  => $key_path;
     'smtpd_tls_ask_ccert':  value  => 'yes';