crl_auto_renew not working RedHat versions due to alias

[sazzle2611]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.20.0
• Distribution: CentOS Stream 8
• Module version: v10.2.1

How to reproduce (e.g Puppet code you use)

crl_auto_renew: true

from hiera for openvpn::serevers:

What are you seeing

The certificates don't auto renew all though they used to, maybe before we switched to Centos Stream, can't remember the details of exactly when it went wrong, I tought that the fix in the changelog for v10.2.1 would sort it but it didn't for us #437

What behaviour did you expect instead

Certificates are renewed automatically

Any additional information you'd like to impart

I have been digging into it deeper and I believe the issue is because RedHat sets up an automatic alias for the cp command which turns it into interactive mode

$ alias
alias cp='cp -i'

I had noticed that when we run it manually to fix then it always asks for confirmation.

[kenyon]

Shell aliases don't exist in the shell environment of puppet.

[sazzle2611]

Damn thought I was on to something, guess I need to keep looking.

@kenyon do you have any pointers where I can look?

[sazzle2611]

even if the provider is 'shell'?

[kenyon]

Yes, even if the provider is shell.

Also "crl" is certificate revocation list, which has nothing to do with certificate renewals. I don't see any certificate renewal functionality in this module.

[sazzle2611]

In manifests/server.pp

## Renewal of crl.pem
      if ($crl_auto_renew) {
        schedule { "renew crl.pem schedule on ${name}":
          range  => '1 - 4',
          period => $crl_renew_schedule_period,
          repeat => $crl_renew_schedule_repeat,
        }
        case $openvpn::easyrsa_version {
          '2.0': {
            exec { "renew crl.pem on ${name}":
              command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${server_directory}/${name}/crl.pem -config ${server_directory}/${name}/easy-rsa/openssl.cnf",
              cwd      => "${server_directory}/${name}/easy-rsa",
              provider => 'shell',
              schedule => "renew crl.pem schedule on ${name}",
            }
          }
          '3.0': {
            exec { "renew crl.pem on ${name}":
              command  => "./easyrsa gen-crl && cp ./keys/crl.pem ${server_directory}/${name}/crl.pem",
              cwd      => "${server_directory}/${name}/easy-rsa",
              provider => 'shell',
              schedule => "renew crl.pem schedule on ${name}",
            }
            ~> exec { "copy renewed crl.pem to ${name} keys directory":
              command     => "cp ${server_directory}/${name}/easy-rsa/keys/crl.pem ${server_directory}/${name}/crl.pem",
              refreshonly => true,
              provider    => 'shell',
            }
          }
          default: {
            fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
          }
        }
      }

[sazzle2611]

we use easyrsa version 3, just for extra info

[sazzle2611]

I added these values to our config

crl_renew_schedule_period: 'daily'
crl_renew_schedule_repeat: 8

and it did actually renew certificate, so I have no idea why it was failing and requiring me to do it manually after the certificate expired every month.

We have 3 VPN server configured by puppet so I have changed them to different settings and will keep an eye on if it regenerates them and will see if we get the same issue next month

[kenyon]

There is no certificate being renewed, it is the CRL that's being renewed.

[sazzle2611]

Okay sorry my wording is wrong, whatever it is it's not been working (although use to with this module) the error is TLS error which made me think of certificates.

Whatever it is it still brings down the VPN