CONTRIB-8909 changed the way certs are issued to significantly reduced the chances of a race condition that results in a certificate getting issued twice for a user.

Unfortunately it did not eliminate it entirely, because helper::issue_certificate() doesn't use a lock around checking if the cert exists and issuing the new one.

We have a client with high enough traffic that they are hitting this particular lotto periodically, creating duplicate certificate records.