Easyrsa version range

manifests/ca.pp

@@ -86,8 +86,8 @@
     require => File["${server_directory}/${name}/easy-rsa"],
   }
 
-  case $openvpn::easyrsa_version {
-    '2.0': {
+  if versioncmp($openvpn::easyrsa_version, '3') == -1 {
+    if versioncmp($openvpn::easyrsa_version, '2') == 1 or versioncmp($openvpn::easyrsa_version, '2') == 0 {
       if $ssl_key_algo != 'rsa' {
         fail('easy-rsa 2.0 supports only rsa keys.')
       }
@@ -139,13 +139,23 @@
         provider => 'shell',
         require  => Exec["generate server cert ${name}"],
       }
+    } else {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x.")
     }
-    '3.0': {
+  } else {
+    if versioncmp($openvpn::easyrsa_version, '4') == -1 {
+      if versioncmp($openvpn::easyrsa_version, '3.0.3') == 1 {
+        $default_easyrsa_openssl_conf = 'openssl-easyrsa.cnf'
+      } else {
+        $default_easyrsa_openssl_conf = 'openssl-1.0.cnf'
+      }
+
       file { "${server_directory}/${name}/easy-rsa/vars":
         ensure  => file,
         mode    => '0550',
         content => epp('openvpn/vars-30.epp',
           {
+            'easyrsa_config'   => $default_easyrsa_openssl_conf,
             'server_directory' => $server_directory,
             'openvpn_server'   => $name,
             'ssl_key_algo'     => $ssl_key_algo,
@@ -171,7 +181,7 @@
       if $openvpn::link_openssl_cnf {
         File["${server_directory}/${name}/easy-rsa/openssl.cnf"] {
           ensure => link,
-          target => "${server_directory}/${name}/easy-rsa/openssl-1.0.cnf",
+          target => "${server_directory}/${name}/easy-rsa/${default_easyrsa_openssl_conf}",
           before => Exec["initca ${name}"],
         }
       }
@@ -202,7 +212,7 @@
       }
 
       exec { "generate server cert ${name}":
-        command  => "./easyrsa build-server-full '${common_name}' nopass",
+        command  => "./easyrsa --batch build-server-full '${common_name}' nopass",
         cwd      => "${server_directory}/${name}/easy-rsa",
         creates  => "${server_directory}/${name}/easy-rsa/keys/private/${common_name}.key",
         provider => 'shell',
@@ -226,9 +236,8 @@
         creates  => "${server_directory}/${name}/crl.pem",
         provider => 'shell',
       }
-    }
-    default: {
-      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+    } else {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x.")
     }
   }
 

manifests/client.pp

@@ -98,15 +98,17 @@
 
   if $expire {
     if is_integer($expire) {
-      case $openvpn::easyrsa_version {
-        '2.0': {
+      if versioncmp($openvpn::easyrsa_version, '3') == -1 {
+        if versioncmp($openvpn::easyrsa_version, '2') == 1 or versioncmp($openvpn::easyrsa_version, '2') == 0 {
           $env_expire = "KEY_EXPIRE=${expire}"
+        } else {
+          fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x.")
         }
-        '3.0': {
+      } else {
+        if versioncmp($openvpn::easyrsa_version, '4') == -1 {
           $env_expire = "EASYRSA_CERT_EXPIRE=${expire} EASYRSA_NO_VARS=1"
-        }
-        default: {
-          fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+        } else {
+          fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x.")
         }
       }
     } else {
@@ -116,8 +118,8 @@
     $env_expire = ''
   }
 
-  case $openvpn::easyrsa_version {
-    '2.0': {
+  if versioncmp($openvpn::easyrsa_version, '3') == -1 {
+    if versioncmp($openvpn::easyrsa_version, '2') == 1 or versioncmp($openvpn::easyrsa_version, '2') == 0 {
       exec { "generate certificate for ${name} in context of ${ca_name}":
         command  => ". ./vars && ${env_expire} ./pkitool ${name}",
         cwd      => "${server_directory}/${ca_name}/easy-rsa",
@@ -136,8 +138,11 @@
         target  => "${server_directory}/${ca_name}/easy-rsa/keys/${name}.key",
         require => Exec["generate certificate for ${name} in context of ${ca_name}"],
       }
+    } else {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x.")
     }
-    '3.0': {
+  } else {
+    if versioncmp($openvpn::easyrsa_version, '4') == -1 {
       exec { "generate certificate for ${name} in context of ${ca_name}":
         command  => ". ./vars && ${env_expire} ./easyrsa --batch build-client-full ${name} nopass",
         cwd      => "${server_directory}/${ca_name}/easy-rsa",
@@ -156,9 +161,8 @@
         target  => "${server_directory}/${ca_name}/easy-rsa/keys/private/${name}.key",
         require => Exec["generate certificate for ${name} in context of ${ca_name}"],
       }
-    }
-    default: {
-      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+    } else {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x.")
     }
   }
 
@@ -301,10 +305,22 @@
     order   => '08',
   }
 
+  exec { "Create PEM file without text with OpenSSL for client ${name}":
+    cwd         => "${server_directory}/${server}/download-configs/",
+    command     => "openssl x509 -in ${server_directory}/${server}/download-configs/${name}/keys/${name}/${name}.crt > ${server_directory}/${server}/download-configs/${name}/keys/${name}/${name}.pem",
+    creates     => "${server_directory}/${name}/easy-rsa/keys/ca.pem",
+    provider    => 'shell',
+    refreshonly => true,
+    subscribe   => File["${server_directory}/${server}/download-configs/${name}/keys/${name}/${name}.crt"],
+  }
+
   concat::fragment { "${server_directory}/${server}/download-configs/${name}.ovpn/cert":
-    target => "${server_directory}/${server}/download-configs/${name}.ovpn",
-    source => "${server_directory}/${server}/download-configs/${name}/keys/${name}/${name}.crt",
-    order  => '09',
+    target  => "${server_directory}/${server}/download-configs/${name}.ovpn",
+    source  => "${server_directory}/${server}/download-configs/${name}/keys/${name}/${name}.pem",
+    order   => '09',
+    require => [
+      Exec["Create PEM file without text with OpenSSL for client ${name}"],
+    ],
   }
 
   concat::fragment { "${server_directory}/${server}/download-configs/${name}.ovpn/cert_close_tag":

manifests/init.pp

@@ -36,7 +36,7 @@
   Boolean                              $link_openssl_cnf,
   Optional[Stdlib::Absolutepath]       $pam_module_path,
   Boolean                              $namespecific_rclink,
-  Pattern[/^[23]\.0$/]                 $default_easyrsa_ver,
+  Pattern[/^[23]\.\d(\.\d{1,2})?$/]    $default_easyrsa_ver,
   Stdlib::Unixpath                     $easyrsa_source,
   Variant[String[1], Array[String[1]]] $additional_packages,
   Optional[Stdlib::Absolutepath]       $ldap_auth_plugin_location,

manifests/revoke.pp

@@ -24,15 +24,32 @@
 
   $server_directory = $openvpn::server_directory
 
-  $revocation_command = $openvpn::easyrsa_version ? {
-    '2.0' => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'",
-    '3.0' => ". ./vars && ./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'",
+  if versioncmp($openvpn::easyrsa_version, '3') == -1 {
+    if versioncmp($openvpn::easyrsa_version, '2') == 1 or versioncmp($openvpn::easyrsa_version, '2') == 0 {
+      $revocation_command = ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'"
+    } else {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x")
+    }
+  } else {
+    if versioncmp($openvpn::easyrsa_version, '4') == -1 {
+      $revocation_command = ". ./vars && ./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'"
+    } else {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x")
+    }
   }
 
-  $renew_command = $openvpn::easyrsa_version ? {
-    '2.0'   => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${server_directory}/${server}/crl.pem -config ${server_directory}/${server}/easy-rsa/openssl.cnf",
-    '3.0'   => './easyrsa gen-crl',
-    default => fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0."),
+  if versioncmp($openvpn::easyrsa_version, '3') == -1 {
+    if versioncmp($openvpn::easyrsa_version, '2') == 1 or versioncmp($openvpn::easyrsa_version, '2') == 0 {
+      $renew_command = ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${server_directory}/${server}/crl.pem -config ${server_directory}/${server}/easy-rsa/openssl.cnf"
+    } else {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x")
+    }
+  } else {
+    if versioncmp($openvpn::easyrsa_version, '4') == -1 {
+      $renew_command = './easyrsa gen-crl'
+    } else {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x")
+    }
   }
 
   file { "${server_directory}/${server}/easy-rsa/revoked/${name}":
@@ -55,7 +72,9 @@
     refreshonly => true,
   }
 
-  if ($openvpn::easyrsa_version == '3.0') {
+  if versioncmp($openvpn::easyrsa_version, '4') == -1 and
+  (versioncmp($openvpn::easyrsa_version, '3') == 1 or
+  versioncmp($openvpn::easyrsa_version, '3') == 0) {
     exec { "copy renewed crl.pem to ${name} keys directory because of revocation of ${name}":
       command     => "cp ${server_directory}/${server}/easy-rsa/keys/crl.pem ${server_directory}/${server}/crl.pem",
       subscribe   => Exec["renew crl.pem on ${server} because of revocation of ${name}"],

manifests/server.pp

@@ -353,7 +353,11 @@
 
   if !$remote {
     if !$shared_ca and !$extca_enabled {
-      if $dn_mode == 'org' or $openvpn::easyrsa_version == '2.0' {
+      if $dn_mode == 'org' or
+      (versioncmp($openvpn::easyrsa_version, '3') == -1 and
+        (versioncmp($openvpn::easyrsa_version, '2') == 1 or
+        versioncmp($openvpn::easyrsa_version, '2') == 0)
+      ) {
         # VPN Server Mode
         if $country == undef {
           fail('country has to be specified in server mode')
@@ -398,16 +402,19 @@
           period => $crl_renew_schedule_period,
           repeat => $crl_renew_schedule_repeat,
         }
-        case $openvpn::easyrsa_version {
-          '2.0': {
+        if versioncmp($openvpn::easyrsa_version, '3') == -1 {
+          if versioncmp($openvpn::easyrsa_version, '2') == 1 or versioncmp($openvpn::easyrsa_version, '2') == 0 {
             exec { "renew crl.pem on ${name}":
               command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${server_directory}/${name}/crl.pem -config ${server_directory}/${name}/easy-rsa/openssl.cnf",
               cwd      => "${server_directory}/${name}/easy-rsa",
               provider => 'shell',
               schedule => "renew crl.pem schedule on ${name}",
             }
+          } else {
+            fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x .")
           }
-          '3.0': {
+        } else {
+          if versioncmp($openvpn::easyrsa_version, '4') == -1 {
             exec { "renew crl.pem on ${name}":
               command  => "./easyrsa gen-crl && cp ./keys/crl.pem ${server_directory}/${name}/crl.pem",
               cwd      => "${server_directory}/${name}/easy-rsa",
@@ -419,9 +426,8 @@
               refreshonly => true,
               provider    => 'shell',
             }
-          }
-          default: {
-            fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+          } else {
+            fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect between 2.0.0 and 3.x.x .")
           }
         }
       }

spec/acceptance/openvpn_spec.rb

@@ -8,16 +8,17 @@
     server_directory = '/etc/openvpn/server'
     client_directory = '/etc/openvpn/client'
     client_service = 'openvpn-client'
+    easy_rsa_version = '3.0.8'
   else
     server_directory = '/etc/openvpn'
     client_directory = '/etc/openvpn'
     client_service = 'openvpn'
+    easy_rsa_version = '3.0'
   end
   server_crt = "#{server_directory}/test_openvpn_server/easy-rsa/keys/issued/server.crt"
   key_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/private"
   crt_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/issued"
   index_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys"
-  easy_rsa_version = '3.0'
   renew_crl_cmd = "cd #{server_directory}/test_openvpn_server/easy-rsa && . ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out #{server_directory}/test_openvpn_server/crl.pem -config #{server_directory}/test_openvpn_server/easy-rsa/openssl.cnf"
 when 'Debian'
   server_directory = '/etc/openvpn'
@@ -192,8 +193,8 @@
   end
 end
 
-if easy_rsa_version == '3.0'
-  describe 'server defined type w/ easy-rsa 3.0' do
+if ['3.0', '3.0.8'].include?(easy_rsa_version)
+  describe "server defined type w/ #{fact('easyrsa')}" do
     dev = 'tun1'
     server_name = 'test_openvpn_server_ec_dn_mode'
     port = 1195

templates/vars-30.epp

@@ -26,7 +26,7 @@ export GREP="grep"
 # This variable should point to
 # the openssl.cnf file included
 # with easy-rsa.
-export EASYRSA_SSL_CONF="$EASY_RSA/openssl-1.0.cnf"
+export EASYRSA_SSL_CONF="$EASY_RSA/<%= $easyrsa_config %>"
 
 # Edit this variable to point to
 # your soon-to-be-created key