Fix for #2890 (the cached certificates that would not die)

This patch implements the two-part suggestion from the ticket;

1) a client that receives a certificate that doesn't match its current
private key does not accept, store or use the certificate--instead it
removes any locally cached copies and acts as if the certificate had
never been found.

2) a puppetmaster that receives a csr from a client for whom it already
has a signed certificate now honors the request and considers it to
supercede any previously signed certificates.

In order to make the cache expiration work as expected, I changed a few
assumptions in the caching system:

* The expiration of a cached certificate is the earlier of the envelope
  expiration and the certificate's expiration, as opposed to just overriding
  the cache value
* Telling the cache to expire an item now removes it from the cache if
  possible, rather than just setting an expiration date in the past and
  hoping that somebody notices.

Signed-off-by: Markus Roberts <Markus@reality.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/lib/puppet/ssl/certificate.rb b/lib/puppet/ssl/certificate.rb
index f9297f380..b6cba99a7 100644
--- a/lib/puppet/ssl/certificate.rb
+++ b/lib/puppet/ssl/certificate.rb
@@ -28,7 +28,8 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
     end
 
     def expiration
-        return nil unless content
-        return content.not_after
+        # Our expiration is either that of the cache or the content, whichever comes first
+        cache_expiration = @expiration
+        [(content and content.not_after), cache_expiration].compact.sort.first
     end
 end