From 2d07334c9b4e8bf06af5c4fc046984f26b4167ac Mon Sep 17 00:00:00 2001
From: luke <luke@980ebf18-57e1-0310-9a29-db15c13687c0>
Date: Mon, 18 Jun 2007 19:51:17 +0000
Subject: Modifying the CA server so that it will not send back a cert whose
 public key does not match the csr.  We have been getting a lot of instances
 of this, so this should cut down that problem.

git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2612 980ebf18-57e1-0310-9a29-db15c13687c0
---
 lib/puppet/network/handler/ca.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'lib/puppet/network/handler')

diff --git a/lib/puppet/network/handler/ca.rb b/lib/puppet/network/handler/ca.rb
index 875cfc926..422b21ae1 100644
--- a/lib/puppet/network/handler/ca.rb
+++ b/lib/puppet/network/handler/ca.rb
@@ -104,7 +104,9 @@ class Puppet::Network::Handler
             cert, cacert = ca.getclientcert(hostname)
             if cert and cacert
                 Puppet.info "Retrieving existing certificate for %s" % hostname
-                #Puppet.info "Cert: %s; Cacert: %s" % [cert.class, cacert.class]
+                unless csr.public_key.to_s == cert.public_key.to_s
+                    raise Puppet::Error, "Certificate request does not match existing certificate; run 'puppetca --clean %s'." % hostname
+                end
                 return [cert.to_pem, cacert.to_pem]
             elsif @ca
                 if self.autosign?(hostname) or client.nil?
-- 
cgit