-
-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revoke command missing on easy-rsa 3.0 #331 #332
Revoke command missing on easy-rsa 3.0 #331 #332
Conversation
Thank you @jasonsattler for this PR. I added an inline comment. Are you able to update acceptance tests by revoking certificate of the client produced by tests ? |
New to ruby. Also still setting up my env. I am little stuck on how to add the notify to the tests. Any help or direction would be great. Commented it out of the puppet manifest for now. |
#331 This block of code works for me. ``` each($revoked) |$name| { exec { "revoke certificate for ${name} in context of ${server}": command => ". ./vars && echo yes | ./easyrsa revoke ${name} 2>&1 | grep -E 'Already revoked|was successful|not a valid certificate' && ./easyrsa gen-crl && /bin/cp -f keys/crl.pem ../crl.pem && touch revoked/${name}", cwd => "/etc/openvpn/${server}/easy-rsa", creates => "/etc/openvpn/${server}/easy-rsa/revoked/${name}", provider => 'shell', notify => Service["openvpn@${server}"] } } ``` fix lint issue fix validation fix comma Adding to revoke spec Update test and revoke.pp
Found that I had the wrong name in the notify. |
First step acceptance are here https://github.com/voxpupuli/puppet-openvpn/blob/master/spec/acceptance/openvpn_spec.rb. Second step what is the puppet code used to revoke a client certificate ? 3rd step is to run this code two times like here https://github.com/voxpupuli/puppet-openvpn/blob/master/spec/acceptance/openvpn_spec.rb#L60 4rd check the result If you want to try you can join slack or IRC for asking questions on #voxpupuli |
Thank you for the direction. I will try to find some time today to look at that. Last night was able to get the notify back in and get the following test to work.
Looks like this one is failing. Which I have not had time to look at yet.
output:
|
case $openvpn::easyrsa_version { | ||
'2.0': { | ||
exec { "revoke certificate for ${name} in context of ${server}": | ||
command => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit annoying that this is so ugly to automate :(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree 100%!!!!!! I was not very happy to find that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is why acceptance tests are mandatory IMO. This will permit to check if it is not too much fragile.
} | ||
|
||
exec { "revoke certificate for ${name} in context of ${server}": | ||
command => ". ./vars && echo yes | ./easyrsa revoke ${name} 2>&1 | grep -E 'Already revoked|was successful|not a valid certificate' && ./easyrsa gen-crl && /bin/cp -f keys/crl.pem ../crl.pem && touch revoked/${name}", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May I ask, why you are using 'echo yes' instead of the --batch switch on easyrsa?
I just hacked together a 'revoke-full' temp fix and found this to be simpler.
./easyrsa --batch revoke ${name}
Cheers,
Jan
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No reason, just missed that flag.
hum ... it looks that we have an other PR about same topic #338 |
Sorry I have not gotten back to this. Been busy rolling a new service out to production. If the other PR has test feel free to close this one. |
So i close this PR. |
#331
This block of code works for me.
Pull Request (PR) description
This Pull Request (PR) fixes the following issues