disable cert when feature flag is off, even if already provisioned

1 files changed, 6 insertions, 5 deletions

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
index 6695077d4a9..b88712da131 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
@@ -545,16 +545,17 @@ public class ApplicationController {
     }
 
     private Optional<ApplicationCertificate> getApplicationCertificate(Application application) {
+        boolean provisionCertificate = provisionApplicationCertificate.with(FetchVector.Dimension.APPLICATION_ID,
+                application.id().serializedForm()).value();
+        if (!provisionCertificate) {
+            return Optional.empty();
+        }
+
         // Re-use certificate if already provisioned
         Optional<ApplicationCertificate> applicationCertificate = curator.readApplicationCertificate(application.id());
         if(applicationCertificate.isPresent())
             return applicationCertificate;
 
-        boolean provisionCertificate = provisionApplicationCertificate.with(FetchVector.Dimension.APPLICATION_ID,
-                                                                            application.id().serializedForm()).value();
-        if (!provisionCertificate) {
-            return Optional.empty();
-        }
         ApplicationCertificate newCertificate = applicationCertificateProvider.requestCaSignedCertificate(application.id());
         curator.writeApplicationCertificate(application.id(), newCertificate);