added /etc/openvpn/ca_bundle.pem in order to allow multiple CA certs to be used.

1 files changed, 26 insertions, 7 deletions

diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
index 78902676..f3c5b423 100644
--- a/puppet/modules/site_openvpn/manifests/keys.pp
+++ b/puppet/modules/site_openvpn/manifests/keys.pp
@@ -13,13 +13,7 @@ class site_openvpn::keys {
   }
 
   x509::ca {
-    'leap_client_ca':
-      content => $site_openvpn::x509_config['client_ca_cert'],
-      notify  => Service[openvpn];
-  }
-
-  x509::ca {
-    'leap_openvpn':
+    'leap_ca':
       content => $site_openvpn::x509_config['ca_cert'],
       notify  => Service[openvpn];
   }
@@ -29,4 +23,29 @@ class site_openvpn::keys {
     mode    => '0644',
   }
 
+  #
+  # CA bundle -- we want to have the possibility of allowing multiple CAs.
+  # For now, the reason is to transition to using client CA. In the future,
+  # we will want to be able to smoothly phase out one CA and phase in another.
+  # I tried "--capath" for this, but it did not work.
+  #
+
+  concat {
+    '/etc/openvpn/ca_bundle.pem':
+      owner  => root,
+      group  => root,
+      mode   => 644,
+      warn   => true,
+      notify => Service['openvpn'];
+  }
+
+  concat::fragment {
+    'client_ca_cert':
+      content => $site_openvpn::x509_config['client_ca_cert'],
+      target  => '/etc/openvpn/ca_bundle.pem';
+    'ca_cert':
+      content => $site_openvpn::x509_config['ca_cert'],
+      target  => '/etc/openvpn/ca_bundle.pem';
+  }
+
 }