From d7009fbfa86497de5bde8fe03ccb4785172f7ffa Mon Sep 17 00:00:00 2001
From: James Munnelly <james.munnelly@jetstack.io>
Date: Fri, 13 Oct 2017 13:32:10 +0100
Subject: [PATCH] Correctly check if certificate is valid when only dnsNames
 are specified

---
 pkg/controller/certificates/sync.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
index 45a4e1045..49a099667 100644
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@@ -119,9 +119,15 @@ func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (err e
 		return c.issue(ctx, i, crt)
 	}
 
+	expectedCN := crt.Spec.CommonName
+	if len(expectedCN) == 0 {
+		if len(crt.Spec.DNSNames) > 0 {
+			expectedCN = crt.Spec.DNSNames[0]
+		}
+	}
 	// if the certificate is valid for a list of domains other than those
 	// listed in the certificate spec, we should re-issue the certificate
-	if !util.EqualUnsorted(crt.Spec.AltNames, cert.DNSNames) {
+	if expectedCN != cert.Subject.CommonName || !util.EqualUnsorted(crt.Spec.DNSNames, cert.DNSNames) {
 		return c.issue(ctx, i, crt)
 	}