Each client can be connected from mulitiple servers where each server…

… can have its own CA.

manifests/client.pp

@@ -174,27 +174,25 @@
       provider => 'shell';
   }
 
-  file { "/etc/openvpn/${server}/download-configs/${name}":
+  file { [ "/etc/openvpn/${server}/download-configs/${name}",
+          "/etc/openvpn/${server}/download-configs/${name}/keys",
+          "/etc/openvpn/${server}/download-configs/${name}/keys/${name}" ]:
     ensure  => directory,
   }
 
-  file { "/etc/openvpn/${server}/download-configs/${name}/keys":
-    ensure  => directory,
-  }
-
-  file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt":
+  file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.crt":
     ensure  => link,
     target  => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt",
     require => Exec["generate certificate for ${name} in context of ${server}"],
   }
 
-  file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key":
+  file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.key":
     ensure  => link,
     target  => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key",
     require => Exec["generate certificate for ${name} in context of ${server}"],
   }
 
-  file { "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt":
+  file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}/ca.crt":
     ensure  => link,
     target  => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt",
     require => Exec["generate certificate for ${name} in context of ${server}"],
@@ -214,22 +212,22 @@
     refreshonly => true,
     require     => [
       File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"],
-      File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"],
-      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"],
-      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"]
+      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/ca.crt"],
+      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.key"],
+      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.crt"]
     ],
     notify      => Exec["generate ${name}.ovpn in ${server}"],
   }
 
   exec { "generate ${name}.ovpn in ${server}":
     cwd         => "/etc/openvpn/${server}/download-configs/",
-    command     => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/ca.crt|){ chomp(\$ca=`cat ${name}/keys/ca.crt`); print \"<ca>\n\$ca\n</ca>\"} elsif(m|^cert keys/${name}.crt|) { chomp(\$crt=`cat ${name}/keys/${name}.crt`); print \"<cert>\n\$crt\n</cert>\"} elsif(m|^key keys/${name}.key|){ chomp(\$key=`cat ${name}/keys/${name}.key`); print \"<key>\n\$key\n</key>\"} else { print} ' > ${name}.ovpn",
+    command     => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/${name}/ca.crt|){ chomp(\$ca=`cat ${name}/keys/${name}/ca.crt`); print \"<ca>\n\$ca\n</ca>\"} elsif(m|^cert keys/${name}/${name}.crt|) { chomp(\$crt=`cat ${name}/keys/${name}/${name}.crt`); print \"<cert>\n\$crt\n</cert>\"} elsif(m|^key keys/${name}/${name}.key|){ chomp(\$key=`cat ${name}/keys/${name}/${name}.key`); print \"<key>\n\$key\n</key>\"} else { print} ' > ${name}.ovpn",
     refreshonly => true,
     require     => [
       File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"],
-      File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"],
-      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"],
-      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"],
+      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/ca.crt"],
+      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.key"],
+      File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.crt"],
     ],
   }
 

spec/defines/openvpn_client_spec.rb

@@ -22,12 +22,12 @@
 
   it { should contain_exec('generate certificate for test_client in context of test_server') }
 
-  [ 'test_client', 'test_client/keys'].each do |directory|
+  [ 'test_client', 'test_client/keys/test_client'].each do |directory|
     it { should contain_file("/etc/openvpn/test_server/download-configs/#{directory}") }
   end
 
   [ 'test_client.crt', 'test_client.key', 'ca.crt' ].each do |file|
-    it { should contain_file("/etc/openvpn/test_server/download-configs/test_client/keys/#{file}").with(
+    it { should contain_file("/etc/openvpn/test_server/download-configs/test_client/keys/test_client/#{file}").with(
       'ensure'  => 'link',
       'target'  => "/etc/openvpn/test_server/easy-rsa/keys/#{file}"
     )}
@@ -42,9 +42,9 @@
     let(:params) { { 'server' => 'test_server' } }
 
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^client$/)}
-    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ca\s+keys\/ca\.crt$/)}
-    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cert\s+keys\/test_client.crt$/)}
-    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^key\s+keys\/test_client\.key$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ca\s+keys\/test_client\/ca\.crt$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cert\s+keys\/test_client\/test_client.crt$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^key\s+keys\/test_client\/test_client\.key$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^dev\s+tun$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^proto\s+tcp$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^remote\s+somehost\s+1194$/)}
@@ -89,9 +89,9 @@
     } }
 
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^client$/)}
-    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ca\s+keys\/ca\.crt$/)}
-    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cert\s+keys\/test_client.crt$/)}
-    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^key\s+keys\/test_client\.key$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ca\s+keys\/test_client\/ca\.crt$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cert\s+keys\/test_client\/test_client.crt$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^key\s+keys\/test_client\/test_client\.key$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^dev\s+tap$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^proto\s+udp$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^remote\s+somewhere\s+123$/)}

templates/client.erb

@@ -1,7 +1,7 @@
 client
-ca keys/ca.crt
-cert keys/<%= @name %>.crt
-key keys/<%= @name %>.key
+ca keys/<%= @name %>/ca.crt
+cert keys/<%= @name %>/<%= @name %>.crt
+key keys/<%= @name %>/<%= @name %>.key
 dev <%= @dev %>
 proto <%= @proto %>
 remote <%= @remote_host %> <%= @port %>