Fixing #2028 - Better failures when a cert is found with no key

The problem was that the server had a certificate
for the client.  Initially the client just didn't have a
key, because it assumed that if it had a certificate then
it had a key.  Upon fixing it to create the key, the key then
did not match the found certificate.

This commit fixes both of those:  The key is always found
before the certificate, and when the certificate is found
it's verified against the private key and an exception
is thrown if they don't match.

It's always a failure, so this just makes the failure
more informative.

Signed-off-by: Luke Kanies <luke@madstop.com>

1 files changed, 14 insertions, 1 deletions

diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index a65490c40..acd27edb6 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -167,14 +167,27 @@ class Puppet::SSL::Host
 
     def certificate
         unless @certificate
+            generate_key unless key
+
             # get the CA cert first, since it's required for the normal cert
             # to be of any use.
             return nil unless Certificate.find("ca") unless ca?
-            @certificate = Certificate.find(name)
+            return nil unless @certificate = Certificate.find(name)
+
+            unless certificate_matches_key?
+                raise Puppet::Error, "Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key"
+            end
         end
         @certificate
     end
 
+    def certificate_matches_key?
+        return false unless key
+        return false unless certificate
+
+        return certificate.content.check_private_key(key.content)
+    end
+
     # Generate all necessary parts of our ssl host.
     def generate
         generate_key unless key