From aa7644a6f418517df294c23c91d2d4a7196714ce Mon Sep 17 00:00:00 2001
From: Fabien COMBERNOUS <Dan33l@users.noreply.github.com>
Date: Sun, 16 Dec 2018 23:48:42 +0100
Subject: [PATCH] consider the easyrsa version to trigger the renew crl command

---
 manifests/server.pp             | 25 ++++++++++++++++++++-----
 spec/acceptance/openvpn_spec.rb |  6 ++++++
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/manifests/server.pp b/manifests/server.pp
index b43c47dd..b0e46eaf 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -330,11 +330,26 @@
           period => $crl_renew_schedule_period,
           repeat => $crl_renew_schedule_repeat,
         }
-        exec { "renew crl.pem on ${name}":
-          command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${openvpn::etc_directory}/openvpn/${name}/crl.pem -config ${openvpn::etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
-          cwd      => "${openvpn::etc_directory}/openvpn/${name}/easy-rsa",
-          provider => 'shell',
-          schedule => "renew crl.pem schedule on ${name}",
+        case $openvpn::easyrsa_version {
+          '2.0': {
+            exec { "renew crl.pem on ${name}":
+              command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${openvpn::etc_directory}/openvpn/${name}/crl.pem -config ${openvpn::etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
+              cwd      => "${openvpn::etc_directory}/openvpn/${name}/easy-rsa",
+              provider => 'shell',
+              schedule => "renew crl.pem schedule on ${name}",
+            }
+          }
+          '3.0': {
+            exec { "renew crl.pem on ${name}":
+              command  => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ${etc_directory}/openvpn/${name}/crl.pem -config ${etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
+              cwd      => "${openvpn::etc_directory}/openvpn/${name}/easy-rsa",
+              provider => 'shell',
+              schedule => "renew crl.pem schedule on ${name}",
+            }
+          }
+          default: {
+            fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+          }
         }
       }
     } elsif !$extca_enabled {
diff --git a/spec/acceptance/openvpn_spec.rb b/spec/acceptance/openvpn_spec.rb
index 0f62430a..45ff281a 100644
--- a/spec/acceptance/openvpn_spec.rb
+++ b/spec/acceptance/openvpn_spec.rb
@@ -6,11 +6,13 @@
   key_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/private'
   crt_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/issued'
   index_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys'
+  renew_crl_cmd = "cd /etc/openvpn/test_openvpn_server/easy-rsa && . ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out /etc/openvpn/test_openvpn_server/crl.pem -config /etc/openvpn/test_openvpn_server/easy-rsa/openssl.cnf"
 when 'Debian'
   server_crt = '/etc/openvpn/test_openvpn_server/easy-rsa/keys/server.crt'
   key_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys'
   crt_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys'
   index_path = '/etc/openvpn/test_openvpn_server/easy-rsa/keys'
+  renew_crl_cmd = "cd /etc/openvpn/test_openvpn_server/easy-rsa && . ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out /etc/openvpn/test_openvpn_server/crl.pem -config /etc/openvpn/test_openvpn_server/easy-rsa/openssl.cnf"
 end
 
 # All-terrain tls ciphers are used to be able to work with all supported OSes.
@@ -123,5 +125,9 @@
       its(:stdout) { is_expected.to match %r{.*vpnclienta.*} }
       its(:exit_status) { is_expected.to eq 0 }
     end
+
+    describe command(renew_crl_cmd.to_s) do
+      its(:exit_status) { is_expected.to eq 0 }
+    end
   end
 end