Fix client cert revoke error with easyrsa 3.0

In easyrsa 3.0 (used in CentOS) the command has changed. Now there is only a single binary to run the scripts. Further the generation of CRL also has changed; now a new crl.pem file is created in keys/crl.pem which overrides the symlink there. So the revocation check did not work anymore, because the crl.pem in the base directory was not checked when a client connected. Resolves: VSHNOPS-1537
voxpupuli · May 10, 2019 · ada7f05 · ada7f05
1 parent 32eea68
commit ada7f05
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 10 deletions.
diff --git a/manifests/revoke.pp b/manifests/revoke.pp
@@ -25,10 +25,30 @@
 
   $etc_directory = $openvpn::etc_directory
 
-  exec { "revoke certificate for ${name} in context of ${server}":
-    command  => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
-    cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
-    creates  => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
-    provider => 'shell',
+  case $openvpn::easyrsa_version {
+    '3.0': {
+      exec { "revoke certificate for ${name} in context of ${server}":
+        command  => ". ./vars && ./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2|))' && touch revoked/${name}",
+        cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
+        creates  => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
+        provider => 'shell',
+      }
+      # `easyrsa gen-crl` does not work, since it will create the crl.pem
+      # to keys/crl.pem which is a symlinked to crl.pem in the servers etc
+      # directory
+      exec { "renew crl.pem for ${name}":
+        command  => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ../crl.pem -config ./openssl.cnf",
+        cwd      => "${openvpn::etc_directory}/openvpn/${server}/easy-rsa",
+        provider => 'shell',
+      }
+    }
+    default: {
+      exec { "revoke certificate for ${name} in context of ${server}":
+        command  => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
+        cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
+        creates  => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
+        provider => 'shell',
+      }
+    }
   }
 }
diff --git a/spec/defines/openvpn_revoke_spec.rb b/spec/defines/openvpn_revoke_spec.rb
@@ -24,12 +24,33 @@
       let(:params) { { 'server' => 'test_server' } }
 
       it { is_expected.to compile.with_all_deps }
+      context 'easyrsa version 2.0' do
+        let(:facts) do
+          super().merge('easyrsa' => '2.0')
+        end
 
-      it {
-        is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
-          'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client"
-        )
-      }
+        it {
+          is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
+            'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client"
+          )
+        }
+      end
+      context 'easyrsa version 3.0' do
+        let(:facts) do
+          super().merge('easyrsa' => '3.0')
+        end
+
+        it {
+          is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
+            'command' => ". ./vars && ./easyrsa --batch revoke test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2|))' && touch revoked/test_client"
+          )
+        }
+        it {
+          is_expected.to contain_exec('renew crl.pem for test_client').with(
+            'command' => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ../crl.pem -config ./openssl.cnf"
+          )
+        }
+      end
     end
   end
 end