Promote OpenVPN CRL fix to global modules #244
Description
Summary
Promote the OpenVPN CRL regeneration fix from environment-specific modules to global modules/profile/ after sandbox validation.
Background
The encrypted CA support and CRL auto-regeneration fix has been:
- ✅ Implemented in
environments/development/ - ✅ Tested in development
- ✅ Promoted to
environments/sandbox/ - ⏳ Awaiting sandbox validation (1 week)
Changes to Promote
From environments/sandbox/modules/profile/ to modules/profile/:
manifests/openvpn_server/config.pp- CRL fix with encrypted CA, cron job, MAILTOtemplates/openvpn_server/regenerate-crl.sh.erb- CRL regeneration scripttemplates/openvpn_server/README.erb- Operational documentationtemplates/openvpn_server/vars.erb- Remove EASYRSA_NO_PASS
Validation Checklist
Before promoting, verify in sandbox:
- CRL regeneration script works:
/etc/openvpn/regenerate-crl.sh - Syslog logging works:
journalctl -t openvpn-crl - VPN connections still work after CRL regeneration
- README deployed to
/etc/openvpn/README
Target Date
Promote after ~1 week of sandbox validation (around 2026-01-27).
Related
- PR GTID: Extra transaction on slave before replication setup #240: Fix OpenVPN CRL regeneration with encrypted CA
- Issue Add CRL file age monitoring for OpenVPN server #241: Add CRL file age monitoring (future enhancement)