Drop easyrsa2 support

Author: Valantin

lib/facter/easyrsa.rb

@@ -3,42 +3,31 @@
 Facter.add(:easyrsa) do
   confine kernel: 'Linux'
   setcode do
-    binaryv2 = ''
     binaryv3 = ''
     operatingsystem = Facter.value(:operatingsystem)
     operatingsystemrelease = Facter.value(:operatingsystemrelease)
 
     case operatingsystem
-    when %r{RedHat|CentOS|Amazon}
-      binaryv2 = '/usr/share/easy-rsa/2.0/pkitool'
+    when %r{RedHat|CentOS|Amazon|Rocky|AlmaLinux|OracleLinux}
       binaryv3 = '/usr/share/easy-rsa/3/easyrsa'
     when %r{Ubuntu|Debian}
       case operatingsystemrelease
       when %r{|11|12|18.04|20.04|22.04|24.04}
-        binaryv2 = '/usr/share/easy-rsa/pkitool'
         binaryv3 = '/usr/share/easy-rsa/easyrsa'
       else
-        binaryv2 = '/usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool'
         binaryv3 = '/usr/share/doc/openvpn/examples/easy-rsa/3.0/easyrsa'
       end
     when %r{FreeBSD}
-      binaryv2 = '/usr/local/share/easy-rsa/pkitool'
       binaryv3 = '/usr/local/share/easy-rsa/easyrsa'
     when %r{Solaris}
       binaryv3 = '/opt/local/bin/easyrsa'
     end
 
     if File.exist? binaryv3
-      data = Facter::Core::Execution.execute("#{binaryv3} --help")
+      data = Facter::Core::Execution.execute("#{binaryv3} help")
       version = '3.0' if data.gsub!(%r{Easy-RSA 3 usage}, '')
-    elsif File.exist? binaryv2
-      data = Facter::Core::Execution.execute("#{binaryv2} --help")
-      version = '2.0' if data.gsub!(%r{pkitool 2.0}, '')
-    elsif Facter::Util::Resolution.which('pkitool')
-      data = Facter::Core::Execution.execute('pkitool --help')
-      version = '2.0' if data.gsub!(%r{pkitool 2.0}, '')
     elsif Facter::Util::Resolution.which('easyrsa')
-      data = Facter::Core::Execution.execute('easyrsa --help')
+      data = Facter::Core::Execution.execute('easyrsa help')
       version = '3.0' if data.gsub!(%r{Easy-RSA 3 usage}, '')
     end
     version = nil if version.nil?

manifests/ca.pp

@@ -87,59 +87,6 @@
   }
 
   case $openvpn::easyrsa_version {
-    '2.0': {
-      if $ssl_key_algo != 'rsa' {
-        fail('easy-rsa 2.0 supports only rsa keys.')
-      }
-
-      file { "${server_directory}/${name}/easy-rsa/vars":
-        ensure  => file,
-        mode    => '0550',
-        content => template('openvpn/vars.erb'),
-        require => File["${server_directory}/${name}/easy-rsa"],
-      }
-
-      if $openvpn::link_openssl_cnf {
-        File["${server_directory}/${name}/easy-rsa/openssl.cnf"] {
-          ensure => link,
-          target => "${server_directory}/${name}/easy-rsa/openssl-1.0.0.cnf",
-          before => Exec["initca ${name}"],
-        }
-      }
-
-      exec { "generate dh param ${name}":
-        command  => '. ./vars && ./clean-all && ./build-dh',
-        timeout  => 20000,
-        cwd      => "${server_directory}/${name}/easy-rsa",
-        creates  => "${server_directory}/${name}/easy-rsa/keys/dh${ssl_key_size}.pem",
-        provider => 'shell',
-        require  => File["${server_directory}/${name}/easy-rsa/vars"],
-      }
-
-      exec { "initca ${name}":
-        command  => '. ./vars && ./pkitool --initca',
-        cwd      => "${server_directory}/${name}/easy-rsa",
-        creates  => "${server_directory}/${name}/easy-rsa/keys/ca.key",
-        provider => 'shell',
-        require  => Exec["generate dh param ${name}"],
-      }
-
-      exec { "generate server cert ${name}":
-        command  => ". ./vars && ./pkitool --server ${common_name}",
-        cwd      => "${server_directory}/${name}/easy-rsa",
-        creates  => "${server_directory}/${name}/easy-rsa/keys/${common_name}.key",
-        provider => 'shell',
-        require  => Exec["initca ${name}"],
-      }
-
-      exec { "create crl.pem on ${name}":
-        command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${server_directory}/${name}/crl.pem -config ${server_directory}/${name}/easy-rsa/openssl.cnf",
-        cwd      => "${server_directory}/${name}/easy-rsa",
-        creates  => "${server_directory}/${name}/crl.pem",
-        provider => 'shell',
-        require  => Exec["generate server cert ${name}"],
-      }
-    }
     '3.0': {
       file { "${server_directory}/${name}/easy-rsa/vars":
         ensure  => file,
@@ -171,7 +118,7 @@
       if $openvpn::link_openssl_cnf {
         File["${server_directory}/${name}/easy-rsa/openssl.cnf"] {
           ensure => link,
-          target => "${server_directory}/${name}/easy-rsa/openssl-1.0.cnf",
+          target => "${server_directory}/${name}/easy-rsa/openssl-easyrsa.cnf",
           before => Exec["initca ${name}"],
         }
       }
@@ -228,7 +175,7 @@
       }
     }
     default: {
-      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 3.0.")
     }
   }
 

manifests/client.pp

@@ -99,14 +99,11 @@
   if $expire {
     if is_integer($expire) {
       case $openvpn::easyrsa_version {
-        '2.0': {
-          $env_expire = "KEY_EXPIRE=${expire}"
-        }
         '3.0': {
           $env_expire = "EASYRSA_CERT_EXPIRE=${expire} EASYRSA_NO_VARS=1"
         }
         default: {
-          fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+          fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 3.0.")
         }
       }
     } else {
@@ -117,26 +114,6 @@
   }
 
   case $openvpn::easyrsa_version {
-    '2.0': {
-      exec { "generate certificate for ${name} in context of ${ca_name}":
-        command  => ". ./vars && ${env_expire} ./pkitool ${name}",
-        cwd      => "${server_directory}/${ca_name}/easy-rsa",
-        creates  => "${server_directory}/${ca_name}/easy-rsa/keys/${name}.crt",
-        provider => 'shell';
-      }
-
-      file { "${server_directory}/${server}/download-configs/${name}/keys/${name}/${name}.crt":
-        ensure  => link,
-        target  => "${server_directory}/${ca_name}/easy-rsa/keys/${name}.crt",
-        require => Exec["generate certificate for ${name} in context of ${ca_name}"],
-      }
-
-      file { "${server_directory}/${server}/download-configs/${name}/keys/${name}/${name}.key":
-        ensure  => link,
-        target  => "${server_directory}/${ca_name}/easy-rsa/keys/${name}.key",
-        require => Exec["generate certificate for ${name} in context of ${ca_name}"],
-      }
-    }
     '3.0': {
       exec { "generate certificate for ${name} in context of ${ca_name}":
         command  => ". ./vars && ${env_expire} ./easyrsa --batch build-client-full ${name} nopass",
@@ -158,7 +135,7 @@
       }
     }
     default: {
-      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 3.0.")
     }
   }
 

manifests/revoke.pp

@@ -25,14 +25,13 @@
   $server_directory = $openvpn::server_directory
 
   $revocation_command = $openvpn::easyrsa_version ? {
-    '2.0' => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'",
     '3.0' => ". ./vars && ./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'",
+    default => fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 3.0."),
   }
 
   $renew_command = $openvpn::easyrsa_version ? {
-    '2.0'   => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${server_directory}/${server}/crl.pem -config ${server_directory}/${server}/easy-rsa/openssl.cnf",
     '3.0'   => './easyrsa gen-crl',
-    default => fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0."),
+    default => fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 3.0."),
   }
 
   file { "${server_directory}/${server}/easy-rsa/revoked/${name}":

templates/server.erb

@@ -30,19 +30,12 @@ dh <%= @extca_dh_file %>
 crl-verify <%= @extca_ca_crl_file %>
 <%   end -%>
 <% else -%>
-<%- if @_easyrsa_version == '2.0' -%>
-ca <%= @server_directory %>/<%= @ca_name %>/keys/ca.crt
-cert <%= @server_directory %>/<%= @ca_name %>/keys/<%= @ca_common_name %>.crt
-key <%= @server_directory %>/<%= @ca_name %>/keys/<%= @ca_common_name %>.key
-<%- else -%>
+
 ca <%= @server_directory %>/<%= @ca_name %>/keys/ca.crt
 cert <%= @server_directory %>/<%= @ca_name %>/keys/issued/<%= @ca_common_name %>.crt
 key <%= @server_directory %>/<%= @ca_name %>/keys/private/<%= @ca_common_name %>.key
-<%- end -%>
 <%   unless @remote -%>
-<%- if @_easyrsa_version == '2.0' -%>
-dh <%= @server_directory %>/<%= @ca_name %>/keys/dh<%= @ssl_key_size %>.pem
-<%- elsif @ssl_key_algo == 'rsa' -%>
+<%- if @ssl_key_algo == 'rsa' -%>
 dh <%= @server_directory %>/<%= @ca_name %>/keys/dh.pem
 <%- else -%>
 dh none