From 7076041de6d8e738a46a6f2929eb8ccd2bf58ad7 Mon Sep 17 00:00:00 2001
From: James Munnelly <james@munnelly.eu>
Date: Mon, 16 Dec 2019 13:53:38 +0000
Subject: [PATCH] Don't overwrite existing certificates when issuing a
 temporary certificate

Signed-off-by: James Munnelly <james@munnelly.eu>
---
 pkg/controller/certificates/sync.go | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
index 14135777c..8ac360e60 100644
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@@ -336,15 +336,14 @@ func (c *certificateRequestManager) processCertificate(ctx context.Context, crt
 			log.Info("no existing certificate data found in secret, issuing temporary certificate")
 			return c.issueTemporaryCertificate(ctx, existingSecret, crt, existingKey)
 		}
-		// We don't issue a temporary certificate if the existing stored
-		// certificate already 'matches', even if it isn't a temporary certificate.
-		matches, _ := certificateMatchesSpec(crt, privateKey, existingX509Cert, existingSecret)
-		if !matches {
-			log.Info("existing certificate fields do not match certificate spec, issuing temporary certificate")
+
+		matches, err := pki.PublicKeyMatchesCertificate(privateKey.Public(), existingX509Cert)
+		if err != nil || !matches {
+			log.Info("private key for certificate does not match, issuing temporary certificate")
 			return c.issueTemporaryCertificate(ctx, existingSecret, crt, existingKey)
 		}
 
-		log.Info("not issuing temporary certificate as existing certificate matches requirements")
+		log.Info("not issuing temporary certificate as existing certificate is sufficient")
 
 		// Ensure the secret metadata is up to date
 		updated, err := c.ensureSecretMetadataUpToDate(ctx, existingSecret, crt)