Add CRL file age monitoring for OpenVPN server

[akuzminsky]

Summary

Add automated monitoring to verify CRL regeneration is working correctly. Currently, CRL is regenerated monthly via cron, but there's no alerting if regeneration fails silently or stops running.

Problem

• CRL expires every 180 days (per EASYRSA_CRL_DAYS in vars)
• Monthly cron job regenerates it, but failures could go unnoticed
• If CRL expires, OpenVPN will reject all client connections

Proposed Solution

Add a monitoring check to alert if CRL file age exceeds a safe threshold (e.g., 150 days - giving 30 days warning before expiration).

Implementation Options

1. CloudWatch agent custom metric - check file age, push metric, alert on threshold
2. Nagios/monitoring check - integrate with existing monitoring
3. Simple daily cron job - check file age and send alert

Example Check

# Warn if CRL is older than 150 days (30 days before 180-day expiration)
find /etc/openvpn/pki/crl.pem -mtime +150 -exec echo "WARNING: CRL is older than 150 days" \;

Context

This came out of the OpenVPN CRL regeneration fix in PR for encrypted CA support. The CRL regeneration now logs to syslog (openvpn-crl tag) and sends email on failure via MAILTO, but proactive monitoring would provide additional safety.

Notes

• This is a monitoring concern, could be implemented outside Puppet
• Could also be added to the profile::openvpn_server profile as an optional feature