From 27d0f011be439ff981aa225fbcc2105ca745ea75 Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@jetstack.io>
Date: Tue, 15 Dec 2020 13:45:56 +0000
Subject: [PATCH] Delete Order if its certificate data is bad or unexpected

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
---
 .../certificaterequests/acme/BUILD.bazel         |  1 -
 pkg/controller/certificaterequests/acme/acme.go  | 16 ++++++----------
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/pkg/controller/certificaterequests/acme/BUILD.bazel b/pkg/controller/certificaterequests/acme/BUILD.bazel
index 7102735e3..2ee499c1c 100644
--- a/pkg/controller/certificaterequests/acme/BUILD.bazel
+++ b/pkg/controller/certificaterequests/acme/BUILD.bazel
@@ -18,7 +18,6 @@ go_library(
         "//pkg/issuer:go_default_library",
         "//pkg/logs:go_default_library",
         "//pkg/util:go_default_library",
-        "//pkg/util/errors:go_default_library",
         "//pkg/util/pki:go_default_library",
         "@io_k8s_apimachinery//pkg/api/errors:go_default_library",
         "@io_k8s_apimachinery//pkg/apis/meta/v1:go_default_library",
diff --git a/pkg/controller/certificaterequests/acme/acme.go b/pkg/controller/certificaterequests/acme/acme.go
index 8b9ec3c0f..4fa4dfb6e 100644
--- a/pkg/controller/certificaterequests/acme/acme.go
+++ b/pkg/controller/certificaterequests/acme/acme.go
@@ -37,7 +37,6 @@ import (
 	issuerpkg "github.com/jetstack/cert-manager/pkg/issuer"
 	logf "github.com/jetstack/cert-manager/pkg/logs"
 	"github.com/jetstack/cert-manager/pkg/util"
-	"github.com/jetstack/cert-manager/pkg/util/errors"
 	"github.com/jetstack/cert-manager/pkg/util/pki"
 )
 
@@ -185,23 +184,20 @@ func (a *ACME) Sign(ctx context.Context, cr *v1.CertificateRequest, issuer v1.Ge
 		return nil, nil
 	}
 
-	// Order valid, return cert. The calling controller will update with ready if its happy with the cert.
 	x509Cert, err := pki.DecodeX509CertificateBytes(order.Status.Certificate)
-	if errors.IsInvalidData(err) {
-		log.Error(err, "failed to decode x509 certificate data on Order resource")
+	if err != nil {
+		log.Error(err, "failed to decode x509 certificate data on Order resource.")
 		return nil, a.acmeClientV.Orders(order.Namespace).Delete(context.TODO(), order.Name, metav1.DeleteOptions{})
 	}
-	ok, err := pki.PublicKeyMatchesCertificate(csr.PublicKey, x509Cert)
-	if err != nil {
-		return nil, err
-	}
-	if !ok {
-		log.Error(err, "failed to decode x509 certificate data on Order resource, recreating...")
+
+	if ok, err := pki.PublicKeyMatchesCertificate(csr.PublicKey, x509Cert); err != nil || !ok {
+		log.Error(err, "The public key in Order.Status.Certificate does not match the public key in CertificateRequest.Spec.Request. Deleting the order.")
 		return nil, a.acmeClientV.Orders(order.Namespace).Delete(context.TODO(), order.Name, metav1.DeleteOptions{})
 	}
 
 	log.V(logf.InfoLevel).Info("certificate issued")
 
+	// Order valid, return cert. The calling controller will update with ready if its happy with the cert.
 	return &issuerpkg.IssueResponse{
 		Certificate: order.Status.Certificate,
 	}, nil