puppet 5.5.22 → 6.0.0

data/spec/unit/ssl/digest_spec.rb

@@ -1,3 +1,4 @@
+#! /usr/bin/env ruby
 require 'spec_helper'
 
 require 'puppet/ssl/digest'

data/spec/unit/ssl/host_spec.rb

@@ -1,7 +1,11 @@
+#!/usr/bin/env ruby
 require 'spec_helper'
+require 'puppet/test_ca'
 
 require 'puppet/ssl/host'
 require 'matchers/json'
+require 'puppet_spec/ssl'
+require 'puppet/rest/routes'
 
 def base_json_comparison(result, json_hash)
   expect(result["fingerprint"]).to eq(json_hash["fingerprint"])
@@ -9,13 +13,11 @@ def base_json_comparison(result, json_hash)
   expect(result["state"]).to       eq(json_hash["desired_state"])
 end
 
-describe Puppet::SSL::Host do
+describe Puppet::SSL::Host, if: !Puppet::Util::Platform.jruby? do
   include JSONMatchers
   include PuppetSpec::Files
 
   before do
-    Puppet::SSL::Host.indirection.terminus_class = :file
-
     # Get a safe temporary file
     dir = tmpdir("ssl_host_testing")
     Puppet.settings[:confdir] = dir
@@ -28,7 +30,6 @@ describe Puppet::SSL::Host do
   after do
     # Cleaned out any cached localhost instance.
     Puppet::SSL::Host.reset
-    Puppet::SSL::Host.ca_location = :none
   end
 
   it "should use any provided name as its name" do
@@ -36,80 +37,66 @@ describe Puppet::SSL::Host do
   end
 
   it "should retrieve its public key from its private key" do
-    realkey = double('realkey')
-    key = double('key', :content => realkey)
-    allow(Puppet::SSL::Key.indirection).to receive(:find).and_return(key)
-    pubkey = double('public_key')
-    expect(realkey).to receive(:public_key).and_return(pubkey)
+    realkey = mock 'realkey'
+    key = stub 'key', :content => realkey
+    Puppet::SSL::Key.indirection.stubs(:find).returns(key)
+    pubkey = mock 'public_key'
+    realkey.expects(:public_key).returns pubkey
 
     expect(@host.public_key).to equal(pubkey)
   end
 
-  it "should default to being a non-ca host" do
-    expect(@host.ca?).to be_falsey
-  end
-
-  it "should be a ca host if its name matches the CA_NAME" do
-    allow(Puppet::SSL::Host).to receive(:ca_name).and_return("yayca")
-    expect(Puppet::SSL::Host.new("yayca")).to be_ca
-  end
-
-  it "should have a method for determining the CA location" do
-    expect(Puppet::SSL::Host).to respond_to(:ca_location)
-  end
-
-  it "should have a method for specifying the CA location" do
-    expect(Puppet::SSL::Host).to respond_to(:ca_location=)
-  end
-
-  it "should have a method for retrieving the default ssl host" do
-    expect(Puppet::SSL::Host).to respond_to(:ca_location=)
-  end
+  describe 'localhost' do
+    before(:each) do
+      Puppet::SSL::Host.any_instance.stubs(:certificate).returns nil
+      Puppet::SSL::Host.any_instance.stubs(:generate)
+    end
 
-  it "should have a method for producing an instance to manage the local host's keys" do
-    expect(Puppet::SSL::Host).to respond_to(:localhost)
-  end
+    it "should have a method for producing an instance to manage the local host's keys" do
+      expect(Puppet::SSL::Host).to respond_to(:localhost)
+    end
 
-  it "should allow to reset localhost" do
-    previous_host = Puppet::SSL::Host.localhost
-    Puppet::SSL::Host.reset
-    expect(Puppet::SSL::Host.localhost).not_to eq(previous_host)
-  end
+    it "should allow to reset localhost" do
+      previous_host = Puppet::SSL::Host.localhost
+      Puppet::SSL::Host.reset
+      expect(Puppet::SSL::Host.localhost).not_to eq(previous_host)
+    end
 
-  it "should generate the certificate for the localhost instance if no certificate is available" do
-    host = double('host', :key => nil)
-    expect(Puppet::SSL::Host).to receive(:new).and_return(host)
+    it "should generate the certificate for the localhost instance if no certificate is available" do
+      host = stub 'host', :key => nil
+      Puppet::SSL::Host.expects(:new).returns host
 
-    expect(host).to receive(:certificate).and_return(nil)
-    expect(host).to receive(:generate)
+      host.expects(:certificate).returns nil
+      host.expects(:generate)
 
-    expect(Puppet::SSL::Host.localhost).to equal(host)
-  end
+      expect(Puppet::SSL::Host.localhost).to equal(host)
+    end
 
-  it "should create a localhost cert if no cert is available and it is a CA with autosign and it is using DNS alt names", :unless => Puppet.features.microsoft_windows? do
-    Puppet[:autosign] = true
-    Puppet[:confdir] = tmpdir('conf')
-    Puppet[:dns_alt_names] = "foo,bar,baz"
-    ca = Puppet::SSL::CertificateAuthority.new
-    allow(Puppet::SSL::CertificateAuthority).to receive(:instance).and_return(ca)
+    it "should always read the key for the localhost instance in from disk" do
+      host = stub 'host', :certificate => "eh"
+      host.expects(:key)
+      Puppet::SSL::Host.expects(:new).returns host
 
-    localhost = Puppet::SSL::Host.localhost
-    cert = localhost.certificate
+      Puppet::SSL::Host.localhost
+    end
 
-    expect(cert).to be_a(Puppet::SSL::Certificate)
-    expect(cert.subject_alt_names).to match_array(%W[DNS:#{Puppet[:certname]} DNS:foo DNS:bar DNS:baz])
+    it "should cache the localhost instance" do
+      host = stub 'host', :certificate => "eh", :key => 'foo'
+      Puppet::SSL::Host.expects(:new).once.returns host
+      expect(Puppet::SSL::Host.localhost).to eq(Puppet::SSL::Host.localhost)
+    end
   end
 
   context "with dns_alt_names" do
     before :each do
-      @key = double('key content')
-      key = double('key', :generate => true, :content => @key)
-      allow(Puppet::SSL::Key).to receive(:new).and_return(key)
-      allow(Puppet::SSL::Key.indirection).to receive(:save).with(key)
+      @key = stub('key content')
+      key = stub('key', :generate => true, :content => @key)
+      Puppet::SSL::Key.stubs(:new).returns key
+      Puppet::SSL::Key.indirection.stubs(:save).with(key)
 
-      @cr = double('certificate request')
-      allow(Puppet::SSL::CertificateRequest).to receive(:new).and_return(@cr)
-      allow(Puppet::SSL::CertificateRequest.indirection).to receive(:save).with(@cr)
+      @cr = stub('certificate request', :render => "csr pem")
+      Puppet::SSL::CertificateRequest.stubs(:new).returns @cr
+      Puppet::SSL::Host.any_instance.stubs(:submit_certificate_request)
     end
 
     describe "explicitly specified" do
@@ -118,80 +105,17 @@ describe Puppet::SSL::Host do
       end
 
       it "should not include subjectAltName if not the local node" do
-        expect(@cr).to receive(:generate).with(@key, {})
+        @cr.expects(:generate).with(@key, {})
 
-        Puppet::SSL::Host.new('not-the-' + Puppet[:certname]).generate
+        Puppet::SSL::Host.new('not-the-' + Puppet[:certname]).generate_certificate_request
       end
 
-      it "should include subjectAltName if I am a CA" do
-        expect(@cr).to receive(:generate).
-          with(@key, { :dns_alt_names => Puppet[:dns_alt_names] })
+      it "should include subjectAltName if the local node" do
+        @cr.expects(:generate).with(@key, { :dns_alt_names => 'one, two' })
 
-        Puppet::SSL::Host.localhost
+        Puppet::SSL::Host.new(Puppet[:certname]).generate_certificate_request
       end
     end
-
-    describe "implicitly defaulted" do
-      let(:ca) { double('ca', :sign => nil) }
-
-      before :each do
-        Puppet[:dns_alt_names] = ''
-
-        allow(Puppet::SSL::CertificateAuthority).to receive(:instance).and_return(ca)
-      end
-
-      it "should not include defaults if we're not the CA" do
-        allow(Puppet::SSL::CertificateAuthority).to receive(:ca?).and_return(false)
-
-        expect(@cr).to receive(:generate).with(@key, {})
-
-        Puppet::SSL::Host.localhost
-      end
-
-      it "should not include defaults if not the local node" do
-        allow(Puppet::SSL::CertificateAuthority).to receive(:ca?).and_return(true)
-
-        expect(@cr).to receive(:generate).with(@key, {})
-
-        Puppet::SSL::Host.new('not-the-' + Puppet[:certname]).generate
-      end
-
-      it "should not include defaults if we can't resolve our fqdn" do
-        allow(Puppet::SSL::CertificateAuthority).to receive(:ca?).and_return(true)
-        allow(Facter).to receive(:value).and_call_original
-        allow(Facter).to receive(:value).with(:fqdn).and_return(nil)
-
-        expect(@cr).to receive(:generate).with(@key, {})
-
-        Puppet::SSL::Host.localhost
-      end
-
-      it "should provide defaults if we're bootstrapping the local master" do
-        allow(Puppet::SSL::CertificateAuthority).to receive(:ca?).and_return(true)
-        allow(Facter).to receive(:value).and_call_original
-        allow(Facter).to receive(:value).with(:fqdn).and_return('web.foo.com')
-        allow(Facter).to receive(:value).with(:domain).and_return('foo.com')
-
-        expect(@cr).to receive(:generate).with(@key, {:dns_alt_names => "puppet, web.foo.com, puppet.foo.com"})
-
-        Puppet::SSL::Host.localhost
-      end
-    end
-  end
-
-  it "should always read the key for the localhost instance in from disk" do
-    host = double('host', :certificate => "eh")
-    expect(Puppet::SSL::Host).to receive(:new).and_return(host)
-
-    expect(host).to receive(:key)
-
-    Puppet::SSL::Host.localhost
-  end
-
-  it "should cache the localhost instance" do
-    host = double('host', :certificate => "eh", :key => 'foo')
-    expect(Puppet::SSL::Host).to receive(:new).once.and_return(host)
-    expect(Puppet::SSL::Host.localhost).to eq(Puppet::SSL::Host.localhost)
   end
 
   it "should be able to verify its certificate matches its key" do
@@ -200,177 +124,35 @@ describe Puppet::SSL::Host do
 
   it "should consider the certificate invalid if it cannot find a key" do
     host = Puppet::SSL::Host.new("foo")
-    certificate = double('cert', :fingerprint => 'DEADBEEF')
-    expect(host).to receive(:certificate).twice.and_return(certificate)
-    expect(host).to receive(:key).and_return(nil)
-    expect { host.validate_certificate_with_key }.to raise_error(Puppet::Error, "No private key with which to validate certificate with fingerprint: DEADBEEF")
+    certificate = mock('cert', :fingerprint => 'DEADBEEF')
+    host.expects(:key).returns nil
+    expect { host.validate_certificate_with_key(certificate) }.to raise_error(Puppet::Error, "No private key with which to validate certificate with fingerprint: DEADBEEF")
   end
 
   it "should consider the certificate invalid if it cannot find a certificate" do
     host = Puppet::SSL::Host.new("foo")
-    expect(host).not_to receive(:key)
-    expect(host).to receive(:certificate).and_return(nil)
-    expect { host.validate_certificate_with_key }.to raise_error(Puppet::Error, "No certificate to validate.")
+    host.expects(:key).never
+    expect { host.validate_certificate_with_key(nil) }.to raise_error(Puppet::Error, "No certificate to validate.")
   end
 
   it "should consider the certificate invalid if the SSL certificate's key verification fails" do
     host = Puppet::SSL::Host.new("foo")
-    key = double('key', :content => "private_key")
-    sslcert = double('sslcert')
-    certificate = double('cert', {:content => sslcert, :fingerprint => 'DEADBEEF'})
-    allow(host).to receive(:key).and_return(key)
-    allow(host).to receive(:certificate).and_return(certificate)
-    expect(sslcert).to receive(:check_private_key).with("private_key").and_return(false)
-    expect { host.validate_certificate_with_key }.to raise_error(Puppet::Error, /DEADBEEF/)
+    key = mock 'key', :content => "private_key"
+    sslcert = mock 'sslcert'
+    certificate = mock 'cert', {:content => sslcert, :fingerprint => 'DEADBEEF'}
+    host.stubs(:key).returns key
+    sslcert.expects(:check_private_key).with("private_key").returns false
+    expect { host.validate_certificate_with_key(certificate) }.to raise_error(Puppet::Error, /DEADBEEF/)
   end
 
   it "should consider the certificate valid if the SSL certificate's key verification succeeds" do
     host = Puppet::SSL::Host.new("foo")
-    key = double('key', :content => "private_key")
-    sslcert = double('sslcert')
-    certificate = double('cert', :content => sslcert)
-    allow(host).to receive(:key).and_return(key)
-    allow(host).to receive(:certificate).and_return(certificate)
-    expect(sslcert).to receive(:check_private_key).with("private_key").and_return(true)
-    expect{ host.validate_certificate_with_key }.not_to raise_error
-  end
-
-  describe "when specifying the CA location" do
-    it "should support the location ':local'" do
-      expect { Puppet::SSL::Host.ca_location = :local }.not_to raise_error
-    end
-
-    it "should support the location ':remote'" do
-      expect { Puppet::SSL::Host.ca_location = :remote }.not_to raise_error
-    end
-
-    it "should support the location ':none'" do
-      expect { Puppet::SSL::Host.ca_location = :none }.not_to raise_error
-    end
-
-    it "should support the location ':only'" do
-      expect { Puppet::SSL::Host.ca_location = :only }.not_to raise_error
-    end
-
-    it "should not support other modes" do
-      expect { Puppet::SSL::Host.ca_location = :whatever }.to raise_error(ArgumentError)
-    end
-
-    describe "as 'local'" do
-      before do
-        Puppet::SSL::Host.ca_location = :local
-      end
-
-      it "should set the cache class for Certificate, CertificateRevocationList, and CertificateRequest as :file" do
-        expect(Puppet::SSL::Certificate.indirection.cache_class).to eq(:file)
-        expect(Puppet::SSL::CertificateRequest.indirection.cache_class).to eq(:file)
-        expect(Puppet::SSL::CertificateRevocationList.indirection.cache_class).to eq(:file)
-      end
-
-      it "should set the terminus class for Key and Host as :file" do
-        expect(Puppet::SSL::Key.indirection.terminus_class).to eq(:file)
-        expect(Puppet::SSL::Host.indirection.terminus_class).to eq(:file)
-      end
-
-      it "should set the terminus class for Certificate, CertificateRevocationList, and CertificateRequest as :ca" do
-        expect(Puppet::SSL::Certificate.indirection.terminus_class).to eq(:ca)
-        expect(Puppet::SSL::CertificateRequest.indirection.terminus_class).to eq(:ca)
-        expect(Puppet::SSL::CertificateRevocationList.indirection.terminus_class).to eq(:ca)
-      end
-    end
-
-    describe "as 'remote'" do
-      before do
-        Puppet::SSL::Host.ca_location = :remote
-      end
-
-      it "should set the cache class for Certificate, CertificateRevocationList, and CertificateRequest as :file" do
-        expect(Puppet::SSL::Certificate.indirection.cache_class).to eq(:file)
-        expect(Puppet::SSL::CertificateRequest.indirection.cache_class).to eq(:file)
-        expect(Puppet::SSL::CertificateRevocationList.indirection.cache_class).to eq(:file)
-      end
-
-      it "should set the terminus class for Key as :file" do
-        expect(Puppet::SSL::Key.indirection.terminus_class).to eq(:file)
-      end
-
-      it "should set the terminus class for Host, Certificate, CertificateRevocationList, and CertificateRequest as :rest" do
-        expect(Puppet::SSL::Host.indirection.terminus_class).to eq(:rest)
-        expect(Puppet::SSL::Certificate.indirection.terminus_class).to eq(:rest)
-        expect(Puppet::SSL::CertificateRequest.indirection.terminus_class).to eq(:rest)
-        expect(Puppet::SSL::CertificateRevocationList.indirection.terminus_class).to eq(:rest)
-      end
-    end
-
-    describe "as 'only'" do
-      before do
-        Puppet::SSL::Host.ca_location = :only
-      end
-
-      it "should set the terminus class for Key, Certificate, CertificateRevocationList, and CertificateRequest as :ca" do
-        expect(Puppet::SSL::Key.indirection.terminus_class).to eq(:ca)
-        expect(Puppet::SSL::Certificate.indirection.terminus_class).to eq(:ca)
-        expect(Puppet::SSL::CertificateRequest.indirection.terminus_class).to eq(:ca)
-        expect(Puppet::SSL::CertificateRevocationList.indirection.terminus_class).to eq(:ca)
-      end
-
-      it "should set the cache class for Certificate, CertificateRevocationList, and CertificateRequest to nil" do
-        expect(Puppet::SSL::Certificate.indirection.cache_class).to be_nil
-        expect(Puppet::SSL::CertificateRequest.indirection.cache_class).to be_nil
-        expect(Puppet::SSL::CertificateRevocationList.indirection.cache_class).to be_nil
-      end
-
-      it "should set the terminus class for Host to :file" do
-        expect(Puppet::SSL::Host.indirection.terminus_class).to eq(:file)
-      end
-    end
-
-    describe "as 'none'" do
-      before do
-        Puppet::SSL::Host.ca_location = :none
-      end
-
-      it "should set the terminus class for Key, Certificate, CertificateRevocationList, and CertificateRequest as :file" do
-        expect(Puppet::SSL::Key.indirection.terminus_class).to eq(:disabled_ca)
-        expect(Puppet::SSL::Certificate.indirection.terminus_class).to eq(:disabled_ca)
-        expect(Puppet::SSL::CertificateRequest.indirection.terminus_class).to eq(:disabled_ca)
-        expect(Puppet::SSL::CertificateRevocationList.indirection.terminus_class).to eq(:disabled_ca)
-      end
-
-      it "should set the terminus class for Host to 'none'" do
-        expect { Puppet::SSL::Host.indirection.terminus_class }.to raise_error(Puppet::DevError)
-      end
-    end
-  end
-
-  it "should have a class method for destroying all files related to a given host" do
-    expect(Puppet::SSL::Host).to respond_to(:destroy)
-  end
-
-  describe "when destroying a host's SSL files" do
-    before do
-      allow(Puppet::SSL::Key.indirection).to receive(:destroy).and_return(false)
-      allow(Puppet::SSL::Certificate.indirection).to receive(:destroy).and_return(false)
-      allow(Puppet::SSL::CertificateRequest.indirection).to receive(:destroy).and_return(false)
-    end
-
-    it "should destroy its certificate, certificate request, and key" do
-      expect(Puppet::SSL::Key.indirection).to receive(:destroy).with("myhost")
-      expect(Puppet::SSL::Certificate.indirection).to receive(:destroy).with("myhost")
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:destroy).with("myhost")
-
-      Puppet::SSL::Host.destroy("myhost")
-    end
-
-    it "should return true if any of the classes returned true" do
-      expect(Puppet::SSL::Certificate.indirection).to receive(:destroy).with("myhost").and_return(true)
-
-      expect(Puppet::SSL::Host.destroy("myhost")).to be_truthy
-    end
-
-    it "should report that nothing was deleted if none of the classes returned true" do
-      expect(Puppet::SSL::Host.destroy("myhost")).to eq("Nothing was deleted")
-    end
+    key = mock 'key', :content => "private_key"
+    sslcert = mock 'sslcert'
+    certificate = mock 'cert', :content => sslcert
+    host.stubs(:key).returns key
+    sslcert.expects(:check_private_key).with("private_key").returns true
+    expect{ host.validate_certificate_with_key(certificate) }.not_to raise_error
   end
 
   describe "when initializing" do
@@ -383,11 +165,6 @@ describe Puppet::SSL::Host do
     it "should downcase a passed in name" do
       expect(Puppet::SSL::Host.new("Host.Domain.Com").name).to eq("host.domain.com")
     end
-
-    it "should indicate that it is a CA host if its name matches the ca_name constant" do
-      allow(Puppet::SSL::Host).to receive(:ca_name).and_return("myca")
-      expect(Puppet::SSL::Host.new("myca")).to be_ca
-    end
   end
 
   describe "when managing its private key" do
@@ -398,107 +175,100 @@ describe Puppet::SSL::Host do
     end
 
     it "should return nil if the key is not set and cannot be found" do
-      expect(Puppet::SSL::Key.indirection).to receive(:find).with("myname").and_return(nil)
+      Puppet::SSL::Key.indirection.expects(:find).with("myname").returns(nil)
       expect(@host.key).to be_nil
     end
 
     it "should find the key in the Key class and return the Puppet instance" do
-      expect(Puppet::SSL::Key.indirection).to receive(:find).with("myname").and_return(@key)
+      Puppet::SSL::Key.indirection.expects(:find).with("myname").returns(@key)
       expect(@host.key).to equal(@key)
     end
 
     it "should be able to generate and save a new key" do
-      expect(Puppet::SSL::Key).to receive(:new).with("myname").and_return(@key)
+      Puppet::SSL::Key.expects(:new).with("myname").returns(@key)
 
-      expect(@key).to receive(:generate)
-      expect(Puppet::SSL::Key.indirection).to receive(:save)
+      @key.expects(:generate)
+      Puppet::SSL::Key.indirection.expects(:save)
 
       expect(@host.generate_key).to be_truthy
       expect(@host.key).to equal(@key)
     end
 
     it "should not retain keys that could not be saved" do
-      expect(Puppet::SSL::Key).to receive(:new).with("myname").and_return(@key)
+      Puppet::SSL::Key.expects(:new).with("myname").returns(@key)
 
-      expect(@key).to receive(:generate)
-      expect(Puppet::SSL::Key.indirection).to receive(:save).and_raise("eh")
+      @key.stubs(:generate)
+      Puppet::SSL::Key.indirection.expects(:save).raises "eh"
 
       expect { @host.generate_key }.to raise_error(RuntimeError)
       expect(@host.key).to be_nil
     end
 
     it "should return any previously found key without requerying" do
-      expect(Puppet::SSL::Key.indirection).to receive(:find).with("myname").and_return(@key).once
+      Puppet::SSL::Key.indirection.expects(:find).with("myname").returns(@key).once
       expect(@host.key).to equal(@key)
       expect(@host.key).to equal(@key)
     end
   end
 
   describe "when managing its certificate request" do
-    before do
-      @realrequest = "real request"
-      @request = Puppet::SSL::CertificateRequest.new("myname")
-      @request.content = @realrequest
+    before(:all) do
+      @pki = PuppetSpec::SSL.create_chained_pki
     end
 
-    it "should return nil if the key is not set and cannot be found" do
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with("myname").and_return(nil)
-      expect(@host.certificate_request).to be_nil
+    before(:each) do
+      Puppet[:requestdir] = tmpdir('requests')
     end
 
-    it "should find the request in the Key class and return it and return the Puppet SSL request" do
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with("myname").and_return(@request)
-
-      expect(@host.certificate_request).to equal(@request)
-    end
+    let(:key) { Puppet::SSL::Key.from_s(@pki[:leaf_key].to_s, @host.name) }
 
     it "should generate a new key when generating the cert request if no key exists" do
-      expect(Puppet::SSL::CertificateRequest).to receive(:new).with("myname").and_return(@request)
-
-      key = double('key', :public_key => double("public_key"), :content => "mycontent")
+      @host.expects(:key).times(2).returns(nil).then.returns(key)
+      @host.expects(:generate_key).returns(key)
 
-      expect(@host).to receive(:key).twice.and_return(nil, key)
-      expect(@host).to receive(:generate_key).and_return(key)
-
-      allow(@request).to receive(:generate)
-      allow(Puppet::SSL::CertificateRequest.indirection).to receive(:save)
+      @host.stubs(:submit_certificate_request)
 
       @host.generate_certificate_request
+      expect(Puppet::FileSystem.exist?(File.join(Puppet[:requestdir], "#{@host.name}.pem"))).to be true
     end
 
     it "should be able to generate and save a new request using the private key" do
-      expect(Puppet::SSL::CertificateRequest).to receive(:new).with("myname").and_return(@request)
-
-      key = double('key', :public_key => double("public_key"), :content => "mycontent")
-      allow(@host).to receive(:key).and_return(key)
-      expect(@request).to receive(:generate).with("mycontent", {})
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:save).with(@request)
+      @host.stubs(:key).returns(key)
+      @host.stubs(:submit_certificate_request)
 
       expect(@host.generate_certificate_request).to be_truthy
-      expect(@host.certificate_request).to equal(@request)
+      expect(Puppet::FileSystem.exist?(File.join(Puppet[:requestdir], "#{@host.name}.pem"))).to be true
+    end
+
+    it "should send a new request to the CA for signing" do
+      @http = mock("http")
+      @host.stubs(:http_client).returns(@http)
+      @host.stubs(:ssl_store).returns(mock("ssl store"))
+      @host.stubs(:key).returns(key)
+      request = mock("request")
+      request.stubs(:generate)
+      request.expects(:render).returns("my request").twice
+      Puppet::SSL::CertificateRequest.expects(:new).returns(request)
+
+      Puppet::Rest::Routes.expects(:put_certificate_request)
+        .with("my request", @host.name, anything)
+        .returns(nil)
+
+      expect(@host.generate_certificate_request).to be true
     end
 
     it "should return any previously found request without requerying" do
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:find).with("myname").and_return(@request).once
+      request = mock("request")
+      @host.expects(:load_certificate_request_from_file).returns(request).once
 
-      expect(@host.certificate_request).to equal(@request)
-      expect(@host.certificate_request).to equal(@request)
+      expect(@host.certificate_request).to equal(request)
+      expect(@host.certificate_request).to equal(request)
     end
 
     it "should not keep its certificate request in memory if the request cannot be saved" do
-      expect(Puppet::SSL::CertificateRequest).to receive(:new).with("myname").and_return(@request)
-
-      key = double('key', :public_key => double("public_key"), :content => "mycontent")
-      allow(@host).to receive(:key).and_return(key)
-      allow(@request).to receive(:generate)
-      allow(@request).to receive(:name).and_return("myname")
-      terminus = double('terminus')
-      allow(terminus).to receive(:validate)
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:prepare).and_return(terminus)
-      expect(terminus).to receive(:save) do |req|
-        expect(req.instance).to eq(@request)
-        expect(req.key).to eq("myname")
-      end.and_raise("eh")
+      @host.stubs(:key).returns(key)
+      @host.stubs(:submit_certificate_request)
+      Puppet::Util.expects(:replace_file).raises(RuntimeError)
 
       expect { @host.generate_certificate_request }.to raise_error(RuntimeError)
 
@@ -507,114 +277,113 @@ describe Puppet::SSL::Host do
   end
 
   describe "when managing its certificate" do
-    before do
-      @realcert = double('certificate')
-      @cert = double('cert', :content => @realcert)
-      allow(@host).to receive(:key).and_return(double("key"))
-      allow(@host).to receive(:validate_certificate_with_key)
+    before(:all) do
+      @pki = PuppetSpec::SSL.create_chained_pki
     end
 
-    it "should find the CA certificate if it does not have a certificate" do
-      expect(Puppet::SSL::Certificate.indirection).to receive(:find).with(Puppet::SSL::CA_NAME, :fail_on_404 => true).and_return(double("cacert"))
-      allow(Puppet::SSL::Certificate.indirection).to receive(:find).with("myname").and_return(@cert)
-      @host.certificate
+    before(:each) do
+      Puppet[:certdir] = tmpdir('certs')
+      @host.stubs(:key).returns mock("key")
+      @host.stubs(:validate_certificate_with_key)
+      @host.stubs(:http_client).returns(@http)
+      @host.stubs(:ssl_store).returns(mock("ssl store"))
     end
 
-    it "should not find the CA certificate if it is the CA host" do
-      expect(@host).to receive(:ca?).and_return(true)
-      allow(Puppet::SSL::Certificate.indirection).to receive(:find)
-      expect(Puppet::SSL::Certificate.indirection).not_to receive(:find).with(Puppet::SSL::CA_NAME, :fail_on_404 => true)
+    let(:ca_cert_response) { @pki[:ca_bundle] }
+    let(:host_cert_response) { @pki[:unrevoked_leaf_node_cert] }
 
+    it "should find the CA certificate and save it to disk" do
+      Puppet::Rest::Routes.expects(:get_certificate)
+                          .with(Puppet::SSL::CA_NAME, anything)
+                          .returns(ca_cert_response)
+      Puppet::Rest::Routes.expects(:get_certificate)
+                          .with(@host.name, anything)
+                          .raises(Puppet::Rest::ResponseError.new('no client cert',
+                                                                  mock('response', code: '404')))
       @host.certificate
+      actual_ca_bundle = Puppet::FileSystem.read(Puppet[:localcacert])
+      expect(actual_ca_bundle).to match(/BEGIN CERTIFICATE.*END CERTIFICATE.*BEGIN CERTIFICATE/m)
     end
 
     it "should return nil if it cannot find a CA certificate" do
-      expect(Puppet::SSL::Certificate.indirection).to receive(:find).with(Puppet::SSL::CA_NAME, :fail_on_404 => true).and_return(nil)
-      expect(Puppet::SSL::Certificate.indirection).not_to receive(:find).with("myname")
+      @host.expects(:ensure_ca_certificate).returns(false)
+      @host.expects(:get_host_certificate).never
 
       expect(@host.certificate).to be_nil
     end
 
     it "should find the key if it does not have one" do
-      allow(Puppet::SSL::Certificate.indirection).to receive(:find)
-      expect(@host).to receive(:key).and_return(double("key"))
+      @host.expects(:ensure_ca_certificate).returns(true)
+      @host.expects(:get_host_certificate).returns(nil)
+      @host.expects(:key).returns mock("key")
       @host.certificate
     end
 
     it "should generate the key if one cannot be found" do
-      allow(Puppet::SSL::Certificate.indirection).to receive(:find)
-      expect(@host).to receive(:key).and_return(nil)
-      expect(@host).to receive(:generate_key)
+      @host.expects(:ensure_ca_certificate).returns(true)
+      @host.expects(:get_host_certificate).returns(nil)
+      @host.expects(:key).returns nil
+      @host.expects(:generate_key)
       @host.certificate
     end
 
-    it "should find the certificate in the Certificate class and return the Puppet certificate instance" do
-      expect(Puppet::SSL::Certificate.indirection).to receive(:find).with(Puppet::SSL::CA_NAME, :fail_on_404 => true).and_return(double("cacert"))
-      expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("myname").and_return(@cert)
-      expect(@host.certificate).to equal(@cert)
+    it "should find the host certificate, write it to file, and return the Puppet certificate instance" do
+      Puppet::Rest::Routes.expects(:get_certificate)
+                          .with(Puppet::SSL::CA_NAME, anything)
+                          .returns(ca_cert_response)
+      Puppet::Rest::Routes.expects(:get_certificate)
+                          .with(@host.name, anything)
+                          .returns(host_cert_response)
+      expected_cert = Puppet::SSL::Certificate.from_s(@pki[:unrevoked_leaf_node_cert])
+      actual_cert = @host.certificate
+      expect(actual_cert).to be_a(Puppet::SSL::Certificate)
+      expect(actual_cert.to_s).to eq(expected_cert.to_s)
+      host_cert_from_file = Puppet::FileSystem.read(File.join(Puppet[:certdir], "#{@host.name}.pem"))
+      expect(host_cert_from_file).to eq(expected_cert.to_s)
     end
 
     it "should return any previously found certificate" do
-      expect(Puppet::SSL::Certificate.indirection).to receive(:find).with(Puppet::SSL::CA_NAME, :fail_on_404 => true).and_return(double("cacert"))
-      expect(Puppet::SSL::Certificate.indirection).to receive(:find).with("myname").and_return(@cert).once
+      cert = mock 'cert'
+      @host.expects(:ensure_ca_certificate).returns(true).once
+      @host.expects(:get_host_certificate).returns(cert).once
 
-      expect(@host.certificate).to equal(@cert)
-      expect(@host.certificate).to equal(@cert)
+      expect(@host.certificate).to equal(cert)
+      expect(@host.certificate).to equal(cert)
     end
-  end
-
-  it "should have a method for listing certificate hosts" do
-    expect(Puppet::SSL::Host).to respond_to(:search)
-  end
 
-  describe "when listing certificate hosts" do
-    it "should default to listing all clients with any file types" do
-      expect(Puppet::SSL::Key.indirection).to receive(:search).and_return([])
-      expect(Puppet::SSL::Certificate.indirection).to receive(:search).and_return([])
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:search).and_return([])
-      Puppet::SSL::Host.search
-    end
-
-    it "should be able to list only clients with a key" do
-      expect(Puppet::SSL::Key.indirection).to receive(:search).and_return([])
-      expect(Puppet::SSL::Certificate.indirection).not_to receive(:search)
-      expect(Puppet::SSL::CertificateRequest.indirection).not_to receive(:search)
-      Puppet::SSL::Host.search :for => Puppet::SSL::Key
-    end
-
-    it "should be able to list only clients with a certificate" do
-      expect(Puppet::SSL::Key.indirection).not_to receive(:search)
-      expect(Puppet::SSL::Certificate.indirection).to receive(:search).and_return([])
-      expect(Puppet::SSL::CertificateRequest.indirection).not_to receive(:search)
-      Puppet::SSL::Host.search :for => Puppet::SSL::Certificate
-    end
-
-    it "should be able to list only clients with a certificate request" do
-      expect(Puppet::SSL::Key.indirection).not_to receive(:search)
-      expect(Puppet::SSL::Certificate.indirection).not_to receive(:search)
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:search).and_return([])
-      Puppet::SSL::Host.search :for => Puppet::SSL::CertificateRequest
-    end
-
-    it "should return a Host instance created with the name of each found instance" do
-      key  = double('key',  :name => "key",  :to_ary => nil)
-      cert = double('cert', :name => "cert", :to_ary => nil)
-      csr  = double('csr',  :name => "csr",  :to_ary => nil)
+    context 'invalid certificates' do
+      it "should raise if the CA certificate downloaded from CA is invalid" do
+        Puppet::Rest::Routes.expects(:get_certificate)
+                            .with(Puppet::SSL::CA_NAME, anything)
+                            .returns('garbage')
+        expect { @host.certificate }.to raise_error(Puppet::Error, /did not contain a valid CA certificate/)
+      end
 
-      expect(Puppet::SSL::Key.indirection).to receive(:search).and_return([key])
-      expect(Puppet::SSL::Certificate.indirection).to receive(:search).and_return([cert])
-      expect(Puppet::SSL::CertificateRequest.indirection).to receive(:search).and_return([csr])
+      it "should warn if the host certificate downloaded from CA is invalid" do
+        Puppet::Rest::Routes.expects(:get_certificate)
+                            .with(Puppet::SSL::CA_NAME, anything)
+                            .returns(ca_cert_response)
+        Puppet::Rest::Routes.expects(:get_certificate)
+                            .with(@host.name, anything)
+                            .returns('garbage')
+        expect { @host.certificate }.to raise_error(Puppet::Error, /did not contain a valid certificate for #{@host.name}/)
+      end
 
-      returned = []
-      %w{key cert csr}.each do |name|
-        result = double(name)
-        returned << result
-        expect(Puppet::SSL::Host).to receive(:new).with(name).and_return(result)
+      it 'should warn if the CA certificate loaded from disk is invalid' do
+        Puppet::FileSystem.open(Puppet[:localcacert], nil, "w:ASCII") do |f|
+          f.puts 'garbage'
+        end
+        expect { @host.certificate }.to raise_error(Puppet::Error, /The CA certificate.*invalid/)
       end
 
-      result = Puppet::SSL::Host.search
-      returned.each do |r|
-        expect(result).to be_include(r)
+      it 'should warn if the host certificate loaded from disk in invalid' do
+        Puppet::Rest::Routes.expects(:get_certificate)
+                            .with(Puppet::SSL::CA_NAME, anything)
+                            .returns(ca_cert_response)
+        Puppet::FileSystem.open(File.join(Puppet[:certdir], "#{@host.name}.pem"), nil, "w:ASCII") do |f|
+          f.puts 'garbage'
+        end
+        expect { @host.certificate }.to raise_error(Puppet::Error, /The certificate.*invalid/)
       end
     end
   end
@@ -626,153 +395,154 @@ describe Puppet::SSL::Host do
   describe "when generating files" do
     before do
       @host = Puppet::SSL::Host.new("me")
-      allow(@host).to receive(:generate_key)
-      allow(@host).to receive(:generate_certificate_request)
+      @host.stubs(:generate_key)
+      @host.stubs(:generate_certificate_request)
+      @host.stubs(:certificate_request)
+      @host.stubs(:certificate)
     end
 
     it "should generate a key if one is not present" do
-      allow(@host).to receive(:key).and_return nil
-      expect(@host).to receive(:generate_key)
+      @host.stubs(:key).returns nil
+      @host.expects(:generate_key)
 
       @host.generate
     end
 
     it "should generate a certificate request if one is not present" do
-      expect(@host).to receive(:certificate_request).and_return nil
-      expect(@host).to receive(:generate_certificate_request)
+      @host.expects(:certificate_request).returns nil
+      @host.expects(:generate_certificate_request)
 
       @host.generate
     end
-
-    describe "and it can create a certificate authority" do
-      before do
-        @ca = double('ca')
-        allow(Puppet::SSL::CertificateAuthority).to receive(:instance).and_return(@ca)
-      end
-
-      it "should use the CA to sign its certificate request if it does not have a certificate" do
-        expect(@host).to receive(:certificate).and_return(nil)
-
-        expect(@ca).to receive(:sign).with(@host.name, {allow_dns_alt_names: true})
-
-        @host.generate
-      end
-    end
-
-    describe "and it cannot create a certificate authority" do
-      before do
-        allow(Puppet::SSL::CertificateAuthority).to receive(:instance).and_return(nil)
-      end
-
-      it "should seek its certificate" do
-        expect(@host).to receive(:certificate)
-
-        @host.generate
-      end
-    end
   end
 
   it "should have a method for creating an SSL store" do
     expect(Puppet::SSL::Host.new("me")).to respond_to(:ssl_store)
   end
 
-  it "should always return the same store" do
-    host = Puppet::SSL::Host.new("foo")
-    store = double(
-      'store',
-      :purpose= => nil,
-      :add_file => nil,
-    )
-    expect(OpenSSL::X509::Store).to receive(:new).and_return(store)
-    expect(host.ssl_store).to equal(host.ssl_store)
-  end
-
   describe "when creating an SSL store" do
     before do
-      @host = Puppet::SSL::Host.new("me")
-      @store = double(
-        'store',
-        :purpose= => nil,
-        :add_file => nil,
-        :add_crl  => nil,
-        :flags=   => nil,
-      )
-      allow(OpenSSL::X509::Store).to receive(:new).and_return(@store)
-
       Puppet[:localcacert] = "ssl_host_testing"
-
-      allow(Puppet::SSL::CertificateRevocationList.indirection).to receive(:find).and_return(nil)
     end
 
     it "should accept a purpose" do
-      expect(@store).to receive(:purpose=).with("my special purpose")
-      @host.ssl_store("my special purpose")
-    end
+      store = mock 'store'
+      store.stub_everything
+      OpenSSL::X509::Store.expects(:new).returns store
+      store.expects(:purpose=).with(OpenSSL::X509::PURPOSE_SSL_SERVER)
+      host = Puppet::SSL::Host.new("me")
+      host.crl_usage = false
 
-    it "should default to OpenSSL::X509::PURPOSE_ANY as the purpose" do
-      expect(@store).to receive(:purpose=).with(OpenSSL::X509::PURPOSE_ANY)
-      @host.ssl_store
+      host.ssl_store(OpenSSL::X509::PURPOSE_SSL_SERVER)
     end
 
-    it "should add the local CA cert file" do
-      Puppet[:localcacert] = "/ca/cert/file"
-      expect(@store).to receive(:add_file).with(Puppet[:localcacert])
-      @host.ssl_store
+    context "and the CRL is not on disk" do
+      before do
+        @pki = PuppetSpec::SSL.create_chained_pki
+        @revoked_cert = @pki[:revoked_root_node_cert]
+        localcacert = Puppet.settings[:localcacert]
+        Puppet::Util.replace_file(localcacert, 0644) {|f| f.write @pki[:ca_bundle] }
+        @http = mock 'http'
+        @host.stubs(:http_client).returns(@http)
+      end
+
+      after do
+        Puppet::FileSystem.unlink(Puppet.settings[:localcacert])
+        Puppet::FileSystem.unlink(Puppet.settings[:hostcrl])
+      end
+
+      it "retrieves it from the server" do
+        Puppet::Rest::Routes.expects(:get_crls)
+          .with(Puppet::SSL::CA_NAME, anything)
+          .returns(@pki[:crl_chain])
+
+        @host.ssl_store
+        expect(Puppet::FileSystem.read(Puppet.settings[:hostcrl], :encoding => Encoding::UTF_8)).to eq(@pki[:crl_chain])
+      end
     end
 
     describe "and a CRL is available" do
       before do
-        @crl = double('crl', :content => "real_crl")
-        allow(Puppet::SSL::CertificateRevocationList.indirection).to receive(:find).and_return(@crl)
+        pki = PuppetSpec::SSL.create_chained_pki
+
+        @revoked_cert_from_self_signed_root          = pki[:revoked_root_node_cert]
+        @revoked_cert_from_ca_with_untrusted_chain   = pki[:revoked_leaf_node_cert]
+        @unrevoked_cert_from_self_signed_root        = pki[:unrevoked_root_node_cert]
+        @unrevoked_cert_from_revoked_ca              = pki[:unrevoked_int_node_cert]
+        @unrevoked_cert_from_ca_with_untrusted_chain = pki[:unrevoked_leaf_node_cert]
+
+        localcacert = Puppet.settings[:localcacert]
+        hostcrl     = Puppet.settings[:hostcrl]
+
+        Puppet::Util.replace_file(localcacert, 0644) {|f| f.write pki[:ca_bundle] }
+        Puppet::Util.replace_file(hostcrl, 0644)     {|f| f.write pki[:crl_chain] }
+      end
+
+      after do
+        Puppet::FileSystem.unlink(Puppet.settings[:localcacert])
+        Puppet::FileSystem.unlink(Puppet.settings[:hostcrl])
       end
 
-      [true, 'chain'].each do |crl_setting|
+      [true, :chain].each do |crl_setting|
         describe "and 'certificate_revocation' is #{crl_setting}" do
           before do
-            Puppet[:certificate_revocation] = crl_setting
+            @host = Puppet::SSL::Host.new(crl_setting.to_s)
+            @host.crl_usage = crl_setting
           end
 
-          it "should add the CRL" do
-            expect(@store).to receive(:add_crl).with("real_crl")
-            @host.ssl_store
+          it "should verify unrevoked certs" do
+            expect(
+              @host.ssl_store.verify(@unrevoked_cert_from_self_signed_root)
+            ).to be true
           end
 
-          it "should set the flags to OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK" do
-            expect(@store).to receive(:flags=).with(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL | OpenSSL::X509::V_FLAG_CRL_CHECK)
-            @host.ssl_store
+          it "should not verify revoked certs" do
+            [@revoked_cert_from_self_signed_root,
+             @revoked_cert_from_ca_with_untrusted_chain,
+             @unrevoked_cert_from_revoked_ca,
+             @unrevoked_cert_from_ca_with_untrusted_chain].each do |cert|
+              expect(@host.ssl_store.verify(cert)).to be false
+            end
           end
         end
       end
 
       describe "and 'certificate_revocation' is leaf" do
         before do
-          Puppet[:certificate_revocation] = 'leaf'
+          @host = Puppet::SSL::Host.new("leaf")
+          @host.crl_usage = :leaf
         end
 
-        it "should add the CRL" do
-          expect(@store).to receive(:add_crl).with("real_crl")
-          @host.ssl_store
+        it "should verify unrevoked certs regardless of signing CA's revocation status" do
+          [@unrevoked_cert_from_self_signed_root,
+           @unrevoked_cert_from_revoked_ca,
+           @unrevoked_cert_from_ca_with_untrusted_chain].each do |cert|
+            expect(@host.ssl_store.verify(cert)).to be true
+          end
         end
 
-        it "should set the flags to OpenSSL::X509::V_FLAG_CRL_CHECK" do
-          expect(@store).to receive(:flags=).with(OpenSSL::X509::V_FLAG_CRL_CHECK)
-          @host.ssl_store
+        it "should not verify certs revoked by their signing CA" do
+          [@revoked_cert_from_self_signed_root,
+           @revoked_cert_from_ca_with_untrusted_chain].each do |cert|
+            expect(@host.ssl_store.verify(cert)).to be false
+          end
         end
       end
 
       describe "and 'certificate_revocation' is false" do
         before do
-          Puppet[:certificate_revocation] = false
+          @host = Puppet::SSL::Host.new("host")
+          @host.crl_usage = false
         end
 
-        it "should not add the CRL" do
-          expect(@store).not_to receive(:add_crl)
-          @host.ssl_store
-        end
-
-        it "should not set the flags" do
-          expect(@store).not_to receive(:flags=)
-          @host.ssl_store
+        it "should verify valid certs regardless of revocation status" do
+          [@revoked_cert_from_self_signed_root,
+           @revoked_cert_from_ca_with_untrusted_chain,
+           @unrevoked_cert_from_self_signed_root,
+           @unrevoked_cert_from_revoked_ca,
+           @unrevoked_cert_from_ca_with_untrusted_chain].each do |cert|
+            expect(@host.ssl_store.verify(cert)).to be true
+          end
         end
       end
     end
@@ -784,206 +554,56 @@ describe Puppet::SSL::Host do
     end
 
     it "should generate its certificate request and attempt to read the certificate again if no certificate is found" do
-      expect(@host).to receive(:certificate).twice.and_return(nil, "foo")
-      expect(@host).to receive(:generate)
+      @host.expects(:certificate).times(2).returns(nil).then.returns "foo"
+      @host.expects(:generate)
       @host.wait_for_cert(1)
     end
 
     it "should catch and log errors during CSR saving" do
-      expect(@host).to receive(:certificate).twice.and_return(nil, "foo")
-      times_generate_called = 0
-      expect(@host).to receive(:generate) do
-        times_generate_called += 1
-        raise RuntimeError if times_generate_called == 1
-        nil
-      end
-      allow(@host).to receive(:sleep)
+      @host.expects(:certificate).times(2).returns(nil).then.returns "foo"
+      @host.expects(:generate).raises(RuntimeError).then.returns nil
+      @host.stubs(:sleep)
       @host.wait_for_cert(1)
     end
 
     it "should sleep and retry after failures saving the CSR if waitforcert is enabled" do
-      expect(@host).to receive(:certificate).twice.and_return(nil, "foo")
-      times_generate_called = 0
-      expect(@host).to receive(:generate) do
-        times_generate_called += 1
-        raise RuntimeError if times_generate_called == 1
-        nil
-      end
-      expect(@host).to receive(:sleep).with(1)
+      @host.expects(:certificate).times(2).returns(nil).then.returns "foo"
+      @host.expects(:generate).raises(RuntimeError).then.returns nil
+      @host.expects(:sleep).with(1)
       @host.wait_for_cert(1)
     end
 
     it "should exit after failures saving the CSR of waitforcert is disabled" do
-      expect(@host).to receive(:certificate).and_return(nil)
-      expect(@host).to receive(:generate).and_raise(RuntimeError)
-      expect(@host).to receive(:puts)
+      @host.expects(:certificate).returns(nil)
+      @host.expects(:generate).raises(RuntimeError)
+      @host.expects(:puts)
       expect { @host.wait_for_cert(0) }.to exit_with 1
     end
 
     it "should exit if the wait time is 0 and it can neither find nor retrieve a certificate" do
-      allow(@host).to receive(:certificate).and_return(nil)
-      expect(@host).to receive(:generate)
-      expect(@host).to receive(:puts)
+      @host.stubs(:certificate).returns nil
+      @host.expects(:generate)
+      @host.expects(:puts)
       expect { @host.wait_for_cert(0) }.to exit_with 1
     end
 
     it "should sleep for the specified amount of time if no certificate is found after generating its certificate request" do
-      expect(@host).to receive(:certificate).exactly(3).times().and_return(nil, nil, "foo")
-      expect(@host).to receive(:generate)
+      @host.expects(:certificate).times(3).returns(nil).then.returns(nil).then.returns "foo"
+      @host.expects(:generate)
 
-      expect(@host).to receive(:sleep).with(1)
+      @host.expects(:sleep).with(1)
 
       @host.wait_for_cert(1)
     end
 
     it "should catch and log exceptions during certificate retrieval" do
-      times_certificate_called = 0
-      expect(@host).to receive(:certificate) do
-        times_certificate_called += 1
-        if times_certificate_called == 1
-          return nil
-        elsif times_certificate_called == 2
-          raise RuntimeError
-        end
-        "foo"
-      end.exactly(3).times()
-      allow(@host).to receive(:generate)
-      allow(@host).to receive(:sleep)
+      @host.expects(:certificate).times(3).returns(nil).then.raises(RuntimeError).then.returns("foo")
+      @host.stubs(:generate)
+      @host.stubs(:sleep)
 
-      expect(Puppet).to receive(:err).twice
+      Puppet.expects(:err)
 
       @host.wait_for_cert(1)
     end
   end
-
-  describe "when handling JSON", :unless => Puppet.features.microsoft_windows? do
-    include PuppetSpec::Files
-
-    before do
-      Puppet[:vardir] = tmpdir("ssl_test_vardir")
-      Puppet[:ssldir] = tmpdir("ssl_test_ssldir")
-      # localcacert is where each client stores the CA certificate
-      # cacert is where the master stores the CA certificate
-      # Since we need to play the role of both for testing we need them to be the same and exist
-      Puppet[:cacert] = Puppet[:localcacert]
-
-      @ca=Puppet::SSL::CertificateAuthority.new
-    end
-
-    describe "when converting to JSON" do
-      let(:host) do
-        Puppet::SSL::Host.new("bazinga")
-      end
-
-      let(:json_hash) do
-        {
-          "fingerprint"   => host.certificate_request.fingerprint,
-          "desired_state" => 'requested',
-          "name"          => host.name
-        }
-      end
-
-      it "should be able to identify a host with an unsigned certificate request" do
-        host.generate_certificate_request
-
-        result = JSON.parse(Puppet::SSL::Host.new(host.name).to_json)
-
-        base_json_comparison result, json_hash
-      end
-
-      it "should validate against the schema" do
-        host.generate_certificate_request
-
-        expect(host.to_json).to validate_against('api/schemas/host.json')
-      end
-
-      describe "explicit fingerprints" do
-        [:SHA1, :SHA256, :SHA512].each do |md|
-          it "should include #{md}" do
-            mds = md.to_s
-            host.generate_certificate_request
-            json_hash["fingerprints"] = {}
-            json_hash["fingerprints"][mds] = host.certificate_request.fingerprint(md)
-
-            result = JSON.parse(Puppet::SSL::Host.new(host.name).to_json)
-            base_json_comparison result, json_hash
-            expect(result["fingerprints"][mds]).to eq(json_hash["fingerprints"][mds])
-          end
-        end
-      end
-
-      describe "dns_alt_names" do
-        describe "when not specified" do
-          it "should include the dns_alt_names associated with the certificate" do
-            host.generate_certificate_request
-            json_hash["desired_alt_names"] = host.certificate_request.subject_alt_names
-
-            result = JSON.parse(Puppet::SSL::Host.new(host.name).to_json)
-            base_json_comparison result, json_hash
-            expect(result["dns_alt_names"]).to eq(json_hash["desired_alt_names"])
-          end
-        end
-
-        [ "",
-          "test, alt, names"
-        ].each do |alt_names|
-          describe "when #{alt_names}" do
-            before(:each) do
-              host.generate_certificate_request :dns_alt_names => alt_names
-            end
-
-            it "should include the dns_alt_names associated with the certificate" do
-              json_hash["desired_alt_names"] = host.certificate_request.subject_alt_names
-
-              result = JSON.parse(Puppet::SSL::Host.new(host.name).to_json)
-              base_json_comparison result, json_hash
-              expect(result["dns_alt_names"]).to eq(json_hash["desired_alt_names"])
-            end
-
-            it "should validate against the schema" do
-              expect(host.to_json).to validate_against('api/schemas/host.json')
-            end
-          end
-        end
-      end
-
-      it "should be able to identify a host with a signed certificate" do
-        host.generate_certificate_request
-        @ca.sign(host.name)
-        json_hash = {
-          "fingerprint"          => Puppet::SSL::Certificate.indirection.find(host.name).fingerprint,
-          "desired_state"        => 'signed',
-          "name"                 => host.name,
-        }
-
-        result = JSON.parse(Puppet::SSL::Host.new(host.name).to_json)
-        base_json_comparison result, json_hash
-      end
-
-      it "should be able to identify a host with a revoked certificate" do
-        host.generate_certificate_request
-        @ca.sign(host.name)
-        @ca.revoke(host.name)
-        json_hash["fingerprint"] = Puppet::SSL::Certificate.indirection.find(host.name).fingerprint
-        json_hash["desired_state"] = 'revoked'
-
-        result = JSON.parse(Puppet::SSL::Host.new(host.name).to_json)
-        base_json_comparison result, json_hash
-      end
-    end
-
-    describe "when converting from JSON" do
-      it "should return a Puppet::SSL::Host object with the specified desired state" do
-        host = Puppet::SSL::Host.new("bazinga")
-        host.desired_state="signed"
-        json_hash = {
-          "name"  => host.name,
-          "desired_state" => host.desired_state,
-        }
-        generated_host = Puppet::SSL::Host.from_data_hash(json_hash)
-        expect(generated_host.desired_state).to eq(host.desired_state)
-        expect(generated_host.name).to eq(host.name)
-      end
-    end
-  end
 end