Describe the bug
A VPN-type template that is already attached to a device can have its VPN server field changed without any validation or warning. When the template is pointed at a different VPN server, the existing device continues to hold a certificate that was signed by the original VPN server's CA. The new VPN server uses a different CA and will reject the device's certificate during the TLS handshake, silently dropping the device off the VPN with no error shown in the admin UI.
Steps To Reproduce
- Create a CA and a VPN server (Server A) using that CA.
- Create a VPN-client template pointing to Server A.
- Create a device and attach the template to it, a VpnClient record and certificate signed by Server A's CA are created.
- Create a second VPN server (Server B) using a different CA.
- Open the template and change the VPN field from Server A to Server B.
- Save the template.
- Observe that the device's rendered configuration now references Server B, but the enrolled certificate is still signed by Server A's CA, which Server B does not trust.
Expected behavior
Changing the vpn field on a template that is already assigned to one or more devices should either be blocked with a user-readable validation error, or the admin should display a prominent warning that all enrolled devices will have a CA/certificate mismatch and must be re-provisioned.
Screenshots
N/A
System Informatioon:
- OS: Fedora 42
- Python Version: Python 3.13
- Django Version: Django 5.2.14
- Browser and Browser Version (if applicable): Firefox
Describe the bug
A VPN-type template that is already attached to a device can have its VPN server field changed without any validation or warning. When the template is pointed at a different VPN server, the existing device continues to hold a certificate that was signed by the original VPN server's CA. The new VPN server uses a different CA and will reject the device's certificate during the TLS handshake, silently dropping the device off the VPN with no error shown in the admin UI.
Steps To Reproduce
Expected behavior
Changing the
vpnfield on a template that is already assigned to one or more devices should either be blocked with a user-readable validation error, or the admin should display a prominent warning that all enrolled devices will have a CA/certificate mismatch and must be re-provisioned.Screenshots
N/A
System Informatioon: