Merge pull request #321 from Dan33l/fix_issue318

consider the easyrsa version to trigger the renew crl command
voxpupuli · Dec 17, 2018 · 7d3a84e · 7d3a84e
2 parents cc6ffc2 + aa7644a
commit 7d3a84e
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 5 deletions.
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -330,11 +330,26 @@
           period => $crl_renew_schedule_period,
           repeat => $crl_renew_schedule_repeat,
         }
-        exec { "renew crl.pem on ${name}":
-          command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${openvpn::etc_directory}/openvpn/${name}/crl.pem -config ${openvpn::etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
-          cwd      => "${openvpn::etc_directory}/openvpn/${name}/easy-rsa",
-          provider => 'shell',
-          schedule => "renew crl.pem schedule on ${name}",
+        case $openvpn::easyrsa_version {
+          '2.0': {
+            exec { "renew crl.pem on ${name}":
+              command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${openvpn::etc_directory}/openvpn/${name}/crl.pem -config ${openvpn::etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
+              cwd      => "${openvpn::etc_directory}/openvpn/${name}/easy-rsa",
+              provider => 'shell',
+              schedule => "renew crl.pem schedule on ${name}",
+            }
+          }
+          '3.0': {
+            exec { "renew crl.pem on ${name}":
+              command  => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ${etc_directory}/openvpn/${name}/crl.pem -config ${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
+              cwd      => "${openvpn::etc_directory}/openvpn/${name}/easy-rsa",
+              provider => 'shell',
+              schedule => "renew crl.pem schedule on ${name}",
+            }
+          }
+          default: {
+            fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+          }
         }
       }
     } elsif !$extca_enabled {

diff --git a/spec/acceptance/openvpn_spec.rb b/spec/acceptance/openvpn_spec.rb
@@ -6,11 +6,13 @@
   key_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/private'
   crt_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/issued'
   index_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys'
+  renew_crl_cmd = "cd /etc/openvpn/test_openvpn_server/easy-rsa && . ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out /etc/openvpn/test_openvpn_server/crl.pem -config /etc/openvpn/test_openvpn_server/easy-rsa/openssl.cnf"
 when 'Debian'
   server_crt = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/server.crt'
   key_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys'
   crt_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys'
   index_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys'
+  renew_crl_cmd = "cd /etc/openvpn/test_openvpn_server/easy-rsa && . ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out /etc/openvpn/test_openvpn_server/crl.pem -config /etc/openvpn/test_openvpn_server/easy-rsa/openssl.cnf"
 end
 
 # All-terrain tls ciphers are used to be able to work with all supported OSes.
@@ -123,5 +125,9 @@
       its(:stdout) { is_expected.to match %r{.*vpnclienta.*} }
       its(:exit_status) { is_expected.to eq 0 }
     end
+
+    describe command(renew_crl_cmd.to_s) do
+      its(:exit_status) { is_expected.to eq 0 }
+    end
   end
 end