summaryrefslogtreecommitdiff
path: root/puppet/modules/site_openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_openvpn')
-rw-r--r--puppet/modules/site_openvpn/manifests/keys.pp33
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp6
2 files changed, 27 insertions, 12 deletions
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
index 78902676..f3c5b423 100644
--- a/puppet/modules/site_openvpn/manifests/keys.pp
+++ b/puppet/modules/site_openvpn/manifests/keys.pp
@@ -13,13 +13,7 @@ class site_openvpn::keys {
}
x509::ca {
- 'leap_client_ca':
- content => $site_openvpn::x509_config['client_ca_cert'],
- notify => Service[openvpn];
- }
-
- x509::ca {
- 'leap_openvpn':
+ 'leap_ca':
content => $site_openvpn::x509_config['ca_cert'],
notify => Service[openvpn];
}
@@ -29,4 +23,29 @@ class site_openvpn::keys {
mode => '0644',
}
+ #
+ # CA bundle -- we want to have the possibility of allowing multiple CAs.
+ # For now, the reason is to transition to using client CA. In the future,
+ # we will want to be able to smoothly phase out one CA and phase in another.
+ # I tried "--capath" for this, but it did not work.
+ #
+
+ concat {
+ '/etc/openvpn/ca_bundle.pem':
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ notify => Service['openvpn'];
+ }
+
+ concat::fragment {
+ 'client_ca_cert':
+ content => $site_openvpn::x509_config['client_ca_cert'],
+ target => '/etc/openvpn/ca_bundle.pem';
+ 'ca_cert':
+ content => $site_openvpn::x509_config['ca_cert'],
+ target => '/etc/openvpn/ca_bundle.pem';
+ }
+
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 68387a90..de273b46 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -69,11 +69,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
openvpn::option {
"ca $openvpn_configname":
key => 'ca',
- value => '/usr/local/share/ca-certificates/leap_client_ca.crt',
- server => $openvpn_configname;
- "ca $openvpn_configname":
- key => 'ca',
- value => '/usr/local/share/ca-certificates/leap_openvpn.crt',
+ value => '/etc/openvpn/ca_bundle.pem',
server => $openvpn_configname;
"cert $openvpn_configname":
key => 'cert',