puppet-openvpn
puppet-openvpn copied to clipboard
voxpupuli
Incorrect resource ordering when crl_auto_renew is true
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 6.18.0
- Ruby: ruby 2.5.8p224 (2020-03-31 revision 67882) [x86_64-linux]
- Distribution: CentOS 7.5
- Module version: 8.2.0 & 8.3.0
How to reproduce (e.g Puppet code you use)
I try to apply the module on fresh OS install. No openvpn or easy-rsa package exists on the host before.
class { 'openvpn': ... crl_auto_renew => true, }
What are you seeing
As you can see from the log output below, for some reasons Exec[renew crl.pem on server] runs before File[/etc/openvpn/server/easy-rsa/vars] is created. So this exec ends up with error:
/bin/sh: ./vars: No such file or directory
What behaviour did you expect instead
Correct order: File[/etc/openvpn/server/easy-rsa/vars] -> Exec[renew crl.pem on server]
Output log
Info: Caching catalog for control.spar-nn.internal Info: Applying configuration version 'fm2-production-ddaa74e12aa' Notice: /Stage[main]/Openvpn::Install/Package[openvpn]/ensure: created (corrective) Notice: /Stage[main]/Openvpn::Install/Package[easy-rsa]/ensure: created (corrective) Notice: /Stage[main]/Openvpn::Install/File[/etc/openvpn/keys]/ensure: created (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/File[/etc/openvpn/server]/group: group changed 'openvpn' to 'nobody' (corrective) Info: /Stage[main]/Openvpn/Openvpn::Server[server]/File[/etc/openvpn/server]: Scheduling refresh of Service[openvpn@server] Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/File[/etc/openvpn/server/scripts]/ensure: created Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/File[/etc/openvpn/server/auth]/ensure: created (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/File[/etc/openvpn/server/client-configs]/ensure: created (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/File[/etc/openvpn/server/download-configs]/ensure: created (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/File[/etc/openvpn/server.conf]/ensure: defined content as '{md5}ced7ef0db150093a13d9580df777f141' (corrective) Info: /Stage[main]/Openvpn/Openvpn::Server[server]/File[/etc/openvpn/server.conf]: Scheduling refresh of Service[openvpn@server] Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa]/ensure: created (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/easyrsa]/ensure: defined content as '{md5}bfa4bdd544002f712d2e60815ff53277' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/openssl-easyrsa.cnf]/ensure: defined content as '{md5}6b8725cc3d8de8101ec82ebcef8201fb' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/x509-types]/ensure: created (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/x509-types/COMMON]/ensure: defined content as '{md5}67d826b0d01b46c4bb442b749039b9dc' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/x509-types/ca]/ensure: defined content as '{md5}bdf6c4b1e71f502a768eda6e65e1ffbd' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/x509-types/client]/ensure: defined content as '{md5}84e917d7be5ee502148039694d5e579e' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/x509-types/code-signing]/ensure: defined content as '{md5}621ccf76427f001f4528af513222ad79' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/x509-types/email]/ensure: defined content as '{md5}c544c74ab3c1e5eaa69d8a8ec1e30ef7' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/x509-types/kdc]/ensure: defined content as '{md5}a419f7bf9f3f173251cc389749654af7' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/x509-types/server]/ensure: defined content as '{md5}d0d7a06379af67505bf5dae59d3e7afb' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/x509-types/serverClient]/ensure: defined content as '{md5}3b92ac8660e21b3d4bb0b765899c2a3d' (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Exec[renew crl.pem on server]/returns: /bin/sh: ./vars: No such file or directory Error: '. ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out /etc/openvpn/server/crl.pem -config /etc/openvpn/server/easy-rsa/openssl.cnf' returned 1 instead of one of [0] Error: /Stage[main]/Openvpn/Openvpn::Server[server]/Exec[renew crl.pem on server]/returns: change from 'notrun' to ['0'] failed: '. ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out /etc/openvpn/server/crl.pem -config /etc/openvpn/server/easy-rsa/openssl.cnf' returned 1 instead of one of [0] (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/revoked]/ensure: created (corrective) Notice: /Stage[main]/Openvpn/Openvpn::Server[server]/Openvpn::Ca[server]/File[/etc/openvpn/server/easy-rsa/vars]/ensure: defined content as '{md5}645752a4f1d2ae7adcb49f6c0407022a' (corrective)
