2 files changed, 20 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 9be7dccba8..8273e92826 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -67,6 +67,10 @@ Changes in version 0.2.1.7-alpha - 2008-11-07
       introduction points.
     - Fix uninitialized size field for memory area allocation: may improve
       memory performance during directory parsing.
+    - Treat duplicate certificate fetches as failures, so that we do
+      not try to re-fetch an expired certificate over and over and over.
+    - Do not say we're fetching a certificate when we'll in fact skip it
+      because of a pending download.
 
 
 Changes in version 0.2.1.6-alpha - 2008-09-30
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index 4ea307d91a..8e1af408ad 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -181,6 +181,17 @@ trusted_dirs_load_certs_from_string(const char *contents, int from_store,
                "already have.",
                from_store ? "cached" : "downloaded",
                ds ? ds->nickname : "??");
+
+      /* a duplicate on a download should be treated as a failure, since it
+       * probably means we wanted a different secret key or we are trying to
+       * replace an expired cert that has not in fact been updated. */
+      if (!from_store) {
+        log_warn(LD_DIR, "Got a certificate for %s that we already have. "
+                 "Maybe they haven't updated it.  Waiting for a while.",
+                 ds ? ds->nickname : "??");
+        authority_cert_dl_failed(cert->cache_info.identity_digest, 404);
+      }
+
       authority_cert_free(cert);
       continue;
     }
@@ -423,7 +434,8 @@ authority_certs_fetch_missing(networkstatus_t *status, time_t now)
           continue;
         }
         if (download_status_is_ready(&cl->dl_status, now,
-                                     MAX_CERT_DL_FAILURES)) {
+                                     MAX_CERT_DL_FAILURES) &&
+            !digestmap_get(pending, voter->identity_digest)) {
           log_notice(LD_DIR, "We're missing a certificate from authority "
                      "with signing key %s: launching request.",
                      hex_str(voter->signing_key_digest, DIGEST_LEN));
@@ -449,8 +461,9 @@ authority_certs_fetch_missing(networkstatus_t *status, time_t now)
             break;
           }
         });
-      if (!found && download_status_is_ready(&cl->dl_status, now,
-                                             MAX_CERT_DL_FAILURES)) {
+      if (!found &&
+          download_status_is_ready(&cl->dl_status, now,MAX_CERT_DL_FAILURES) &&
+          !digestmap_get(pending, ds->v3_identity_digest)) {
         log_notice(LD_DIR, "No current certificate known for authority %s; "
                    "launching request.", ds->nickname);
         smartlist_add(missing_digests, ds->v3_identity_digest);