From b43f1e7706f6c2807aaa8fbe71e52a91d3b16788 Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Thu, 9 Nov 2023 10:40:48 +0100
Subject: [PATCH] RequestCertificateHandler(): renew agent cert on master if
 satellite wants it

ignoring that cert seems up-to-date. This is to process renewals
needed to keep the CA up-to-date despite the leaf is already up-to-date.
---
 lib/remote/jsonrpcconnection-pki.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp
index 92c18b709..c079fca90 100644
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@@ -105,6 +105,10 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 						uptodate = IsCertUptodate(root);
 					}
 				}
+			} else {
+				// A satellite wants us to renew an agent certificate + CA despite it seems up-to-date.
+				// So just do it. There may be good reasons for it we don't know, e.g. see the if-then branch above.
+				uptodate = false;
 			}
 		}