Confusing log messages when a DA starts using a new key

From IRC:

[04:06:59] karsten: seeing this repeatedly in maatuska logs: [04:07:02] Apr 26 13:06:09.964 [notice] We're missing a certificate from authority with signing key B3F2CB9D75F87AE4D4A8ECEB3CAAECDC4B131010: launching request. [04:07:02] Apr 26 13:06:10.318 [warn] Got a certificate for maatuska, but we already have it. Maybe they haven't updated it. Waiting for a while. [04:08:27] do i need to do anything else than dropping new authority_certificate and authority_signing_key files in the keys directory and restart tor? [04:09:50] That ‘We're missing a certificate’ log message means it fetched the previous consensus as a client, and saw a signature with maatuska's old key, and set out to ask maatuska for its certificate for that old key. [04:10:35] a, roles. makes sense. thanks. [04:10:55] The second one you pasted means that when it got maatuska's (new) certificate, the certificate didn't match the directory-signing key used for that consensus.

[04:29:37] rransom: what makes you think that? to me it seems like it got a certificate it already had (maatuska's). i suppose that might happen if i fetch it from a DA that hasn't updated maatuskas cert yet. [04:30:43] ln5: It did. It was hoping to get maatuska's old certificate, which would contain the key with which maatuska had signed the then-current consensus.

I suspect that a client bootstrapped between the time that a DA upgraded its signing key and the time that it used that key to sign a new consensus would emit these confusing messages as well.