In cases where each client can be connected from multiple servers and each server has its own CA keys and CA certs need to be separated

Thanks for your work! Sorry, but I don't understand the benefit of your changes. What does this change allow you to do?

Hi,
This change allows to store each server CA generated for the same client to store in a separate subdirectory. Without this change CA from one server would overwrite CA from another server (assuming each CA is distinct).
The issue here is that download_configs tar file from more than one server installed on the same client will overwrite previously installed ca.crt from another server.
There is no problem if all servers are using the same CA. But if e.g., one cluster of servers is using one CA and another cluster is using another CA then ca.crt will be overwritten.
I.e., if you're to put ca.crt from server1 on client X under X/keys/ca.crt then server2 that needs to connect to the same client X with a different CA would put put ca.crt under the same X/keys/ca.crt and thus overwriting server1 ca.crt.
Alternatively, one could resolve this issue with assigning distinct ca.crt name like e.g., ca_server1.crt ca_server2.crt etc.
Thus this was one of the available alternatives. If you see a better way to resolve this issue, by all means go ahead add your own.

Mark

From: Raffael Schmid [notifications@github.com]
Sent: Friday, October 17, 2014 1:45 AM
To: luxflux/puppet-openvpn
Cc: Ginalski, Mark M
Subject: Re: [puppet-openvpn] Each client can be connected from mulitiple servers where each server ca... (#104)

Thanks for your work! Sorry, but I don't understand the benefit of your changes. What does this change allow you to do?

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/104#issuecomment-59468957.

Okay, got it. You were talking about the client side, I somehow missed this when reading your explanation 😄

will this result in recreating all existing certificates on running servers ? that means we have to manually create the folder structure on running servers to prevent getting new certificates for all users ?

Thanks for the merge.
-Mark

From: Raffael Schmid [notifications@github.com]
Sent: Tuesday, October 28, 2014 3:08 PM
To: luxflux/puppet-openvpn
Cc: Ginalski, Mark M
Subject: Re: [puppet-openvpn] Each client can be connected from mulitiple servers where each server ca... (#104)

Okay, got it. You were talking about the client side, I somehow missed this when reading your explanation [:smile:]

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/104#issuecomment-60813454.

@peterbeck I don't think this will be a problem. The keys and certificates are just linked out of the easy-rsa directory: https://github.com/luxflux/puppet-openvpn/blob/master/manifests/client.pp#L183-L193

Even though, the tarball will be recreated.