The use of locks around certState is pretty confusing. The certState method returns the state value either locked or not, which means the call site has no idea about what it got. Then, there's a locked boolean field which is used to decide whether to lock it again or release the existing lock. That's both error prone and wrong from a concurrent memory access perspective.
Comment From: gopherbot
CL https://golang.org/cl/41731 mentions this issue.