Modifying the CA server so that it will not send back a cert whose public key does not match the csr. We have been getting a lot of instances of this, so this should cut down that problem.

git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2612 980ebf18-57e1-0310-9a29-db15c13687c0

1 files changed, 3 insertions, 1 deletions

diff --git a/lib/puppet/network/handler/ca.rb b/lib/puppet/network/handler/ca.rb
index 875cfc926..422b21ae1 100644
--- a/lib/puppet/network/handler/ca.rb
+++ b/lib/puppet/network/handler/ca.rb
@@ -104,7 +104,9 @@ class Puppet::Network::Handler
             cert, cacert = ca.getclientcert(hostname)
             if cert and cacert
                 Puppet.info "Retrieving existing certificate for %s" % hostname
-                #Puppet.info "Cert: %s; Cacert: %s" % [cert.class, cacert.class]
+                unless csr.public_key.to_s == cert.public_key.to_s
+                    raise Puppet::Error, "Certificate request does not match existing certificate; run 'puppetca --clean %s'." % hostname
+                end
                 return [cert.to_pem, cacert.to_pem]
             elsif @ca
                 if self.autosign?(hostname) or client.nil?