Comment 1 for bug 1871663

Yes - this does in fact, happen. puppet-certmonger will do a getcert resubmit if the request already exists. This will generate a new cert with the same key.

We could work around this -- maybe by adding code to puppet-certmonger to not do the resubmit unless explicitly requested -- but maybe what this points to is a bug in the code that restarts/reloads haproxy. After all, haproxy should be restarted if the cert is updated -- for example, if the cert was renewed by certmonger.

The advantage of replacing the cert each time is that the cert doesn't get too old.