(#3360) Add an allow_duplicate_certs option

If this option is true, a certificate request with the same CN as an existing
certificate will override the existing certificate when signed. With the option
false, the new certificate request will be rejected. This option will default
to false.

Paired-With: Max Martin

2 files changed, 10 insertions, 0 deletions

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 989ef3f35..76c40824c 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -353,6 +353,8 @@ module Puppet
         autosigns any key request, and is a very bad idea), false (which
         never autosigns any key request), and the path to a file, which
         uses that configuration file to determine which keys to sign."},
+    :allow_duplicate_certs => [false, "Whether to allow a new certificate
+      request to overwrite an existing certificate."],
     :ca_days => ["", "How long a certificate should be valid.
       This parameter is deprecated, use ca_ttl instead"],
     :ca_ttl => ["5y", "The default TTL for new certificates; valid values
diff --git a/lib/puppet/indirector/certificate_request/ca.rb b/lib/puppet/indirector/certificate_request/ca.rb
index f4c924fe1..5d76ee52a 100644
--- a/lib/puppet/indirector/certificate_request/ca.rb
+++ b/lib/puppet/indirector/certificate_request/ca.rb
@@ -7,6 +7,14 @@ class Puppet::SSL::CertificateRequest::Ca < Puppet::Indirector::SslFile
   store_in :csrdir
 
   def save(request)
+    if host = Puppet::SSL::Host.indirection.find(request.key)
+      if Puppet[:allow_duplicate_certs]
+        Puppet.notice "#{request.key} already has a #{host.state} certificate; new certificate will overwrite it"
+      else
+        raise "#{request.key} already has a #{host.state} certificate; ignoring certificate request"
+      end
+    end
+
     result = super
     Puppet.notice "#{request.key} has a waiting certificate request"
     result