After a discussion with a colleague I think we should leave it as is in the supported/stable releases (I already fixed it in Groovy, it should land in the archive soon). The rationale is: even if the reload command fails the service keeps active and running, the proposed solutions would not fix the problem but would hide it from users. Adding the CAP_KILL capability or the '+' prefix would allow the service to send the SIGHUP signal and make 'systemctl reload openvpn@<server>' return 0, however, it would still face some permission denied errors, making the reload fails silently. In short, with or without the proposed fixes the reload process will not succeed.
After a discussion with a colleague I think we should leave it as is in the supported/stable releases (I already fixed it in Groovy, it should land in the archive soon). The rationale is: even if the reload command fails the service keeps active and running, the proposed solutions would not fix the problem but would hide it from users. Adding the CAP_KILL capability or the '+' prefix would allow the service to send the SIGHUP signal and make 'systemctl reload openvpn@<server>' return 0, however, it would still face some permission denied errors, making the reload fails silently. In short, with or without the proposed fixes the reload process will not succeed.