From 3c3ed940466eabf9cb56a47614133b5bc90d4ad7 Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Thu, 31 Jan 2013 04:31:54 -0800
Subject: added /etc/openvpn/ca_bundle.pem in order to allow multiple CA certs
 to be used.

---
 puppet/modules/site_openvpn/manifests/keys.pp      | 33 +++++++++++++++++-----
 .../site_openvpn/manifests/server_config.pp        |  6 +---
 2 files changed, 27 insertions(+), 12 deletions(-)

(limited to 'puppet/modules/site_openvpn')

diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
index 78902676..f3c5b423 100644
--- a/puppet/modules/site_openvpn/manifests/keys.pp
+++ b/puppet/modules/site_openvpn/manifests/keys.pp
@@ -13,13 +13,7 @@ class site_openvpn::keys {
   }
 
   x509::ca {
-    'leap_client_ca':
-      content => $site_openvpn::x509_config['client_ca_cert'],
-      notify  => Service[openvpn];
-  }
-
-  x509::ca {
-    'leap_openvpn':
+    'leap_ca':
       content => $site_openvpn::x509_config['ca_cert'],
       notify  => Service[openvpn];
   }
@@ -29,4 +23,29 @@ class site_openvpn::keys {
     mode    => '0644',
   }
 
+  #
+  # CA bundle -- we want to have the possibility of allowing multiple CAs.
+  # For now, the reason is to transition to using client CA. In the future,
+  # we will want to be able to smoothly phase out one CA and phase in another.
+  # I tried "--capath" for this, but it did not work.
+  #
+
+  concat {
+    '/etc/openvpn/ca_bundle.pem':
+      owner  => root,
+      group  => root,
+      mode   => 644,
+      warn   => true,
+      notify => Service['openvpn'];
+  }
+
+  concat::fragment {
+    'client_ca_cert':
+      content => $site_openvpn::x509_config['client_ca_cert'],
+      target  => '/etc/openvpn/ca_bundle.pem';
+    'ca_cert':
+      content => $site_openvpn::x509_config['ca_cert'],
+      target  => '/etc/openvpn/ca_bundle.pem';
+  }
+
 }
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 68387a90..de273b46 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -69,11 +69,7 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
   openvpn::option {
     "ca $openvpn_configname":
         key     => 'ca',
-        value   => '/usr/local/share/ca-certificates/leap_client_ca.crt',
-        server  => $openvpn_configname;
-    "ca $openvpn_configname":
-        key     => 'ca',
-        value   => '/usr/local/share/ca-certificates/leap_openvpn.crt',
+        value   => '/etc/openvpn/ca_bundle.pem',
         server  => $openvpn_configname;
     "cert $openvpn_configname":
         key     => 'cert',
-- 
cgit v1.2.3