puppet 6.11.1 → 6.12.0

data/man/man5/puppet.conf.5

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPETCONF" "5" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPETCONF" "5" "January 2020" "Puppet, Inc." "Puppet manual"
 \fBThis page is autogenerated; any changes will get overwritten\fR
 .
 .SH "Configuration settings"
@@ -673,6 +673,14 @@ For more info, see the ENC documentation \fIhttps://puppet\.com/docs/puppet/late
 .
 .IP "" 0
 .
+.SS "facterng"
+Whether to enable a pre\-Facter 4\.0 release of Facter (distributed as the "facter\-ng" gem)\. This is not necessary if Facter 3\.x or later is installed\. This setting is still experimental and has been only included on Windows builds
+.
+.IP "\(bu" 4
+\fIDefault\fR: false
+.
+.IP "" 0
+.
 .SS "factpath"
 Where Puppet should look for facts\. Multiple directories should be separated by the system path separator character\. (The POSIX path separator is \':\', and the Windows path separator is \';\'\.)
 .
@@ -904,7 +912,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
 The HTTP User\-Agent string to send when making network requests\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: Puppet/6\.11\.0 Ruby/2\.4\.1\-p111 (x86_64\-linux)
+\fIDefault\fR: Puppet/6\.12\.0 Ruby/2\.4\.1\-p111 (x86_64\-linux)
 .
 .IP "" 0
 .
@@ -1182,6 +1190,20 @@ The maximum amount of time the Puppet agent should wait for its certificate requ
 .
 .IP "" 0
 .
+.SS "merge_dependency_warnings"
+Whether to merge class\-level dependency failure warnings\.
+.
+.P
+When a class has a failed dependency, every resource in the class generates a notice level message about the dependency failure, and a warning level message about skipping the resource\.
+.
+.P
+If true, all messages caused by a class dependency failure are merged into one message associated with the class\.
+.
+.IP "\(bu" 4
+\fIDefault\fR: false
+.
+.IP "" 0
+.
 .SS "mkusers"
 Whether to create the necessary user and group that puppet agent will run as\.
 .
@@ -1452,6 +1474,14 @@ The public key directory\.
 .
 .IP "" 0
 .
+.SS "puppet_trace"
+Whether to print the Puppet stack trace on some errors\. This is a noop if \fBtrace\fR is also set\.
+.
+.IP "\(bu" 4
+\fIDefault\fR: false
+.
+.IP "" 0
+.
 .SS "puppetdlog"
 The fallback log file\. This is only used when the \fB\-\-logdest\fR option is not specified AND Puppet is running on an operating system where both the POSIX syslog service and the Windows Event Log are unavailable\. (Currently, no supported operating systems match that description\.)
 .
@@ -1877,7 +1907,7 @@ Turns on experimental support for tasks and plans in the puppet language\. This
 .IP "" 0
 .
 .SS "trace"
-Whether to print stack traces on some errors
+Whether to print stack traces on some errors\. Will print internal Ruby stack trace interleaved with Puppet function frames\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: false

data/man/man8/puppet-agent.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-AGENT" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-AGENT" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-agent\fR \- The puppet agent daemon

data/man/man8/puppet-apply.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-APPLY" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-APPLY" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-apply\fR \- Apply Puppet manifests locally

data/man/man8/puppet-catalog.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-CATALOG" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-CATALOG" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-catalog\fR \- Compile, save, view, and convert catalogs\.

data/man/man8/puppet-config.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-CONFIG" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-CONFIG" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-config\fR \- Interact with Puppet\'s settings\.

data/man/man8/puppet-describe.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DESCRIBE" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DESCRIBE" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-describe\fR \- Display help about resource types

data/man/man8/puppet-device.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DEVICE" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DEVICE" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-device\fR \- Manage remote network devices

data/man/man8/puppet-doc.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-DOC" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-DOC" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-doc\fR \- Generate Puppet references

data/man/man8/puppet-epp.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-EPP" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-EPP" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-epp\fR \- Interact directly with the EPP template parser/renderer\.

data/man/man8/puppet-facts.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-FACTS" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-FACTS" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-facts\fR \- Retrieve and store facts\.

data/man/man8/puppet-filebucket.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-FILEBUCKET" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-FILEBUCKET" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-filebucket\fR \- Store and retrieve files in a filebucket

data/man/man8/puppet-generate.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-GENERATE" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-GENERATE" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-generate\fR \- Generates Puppet code from Ruby definitions\.

data/man/man8/puppet-help.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-HELP" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-HELP" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-help\fR \- Display Puppet help\.

data/man/man8/puppet-key.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-KEY" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-KEY" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-key\fR \- Create, save, and remove certificate keys\.

data/man/man8/puppet-lookup.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "LOOKUP" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "LOOKUP" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBlookup\fR \- Interactive Hiera lookup

data/man/man8/puppet-man.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-MAN" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-MAN" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-man\fR \- Display Puppet manual pages\.

data/man/man8/puppet-module.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-MODULE" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-MODULE" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-module\fR \- Creates, installs and searches for modules on the Puppet Forge\.

data/man/man8/puppet-node.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-NODE" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-NODE" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-node\fR \- View and manage node definitions\.

data/man/man8/puppet-parser.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-PARSER" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-PARSER" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-parser\fR \- Interact directly with the parser\.

data/man/man8/puppet-plugin.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-PLUGIN" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-PLUGIN" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-plugin\fR \- Interact with the Puppet plugin system\.

data/man/man8/puppet-report.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-REPORT" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-REPORT" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-report\fR \- Create, display, and submit reports\.

data/man/man8/puppet-resource.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-RESOURCE" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-RESOURCE" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-resource\fR \- The resource abstraction layer shell

data/man/man8/puppet-script.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-SCRIPT" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-SCRIPT" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-script\fR \- Run a puppet manifests as a script without compiling a catalog

data/man/man8/puppet-ssl.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-SSL" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-SSL" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-ssl\fR \- Manage SSL keys and certificates for puppet SSL clients

data/man/man8/puppet-status.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET\-STATUS" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET\-STATUS" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\-status\fR \- View puppet server status\.

data/man/man8/puppet.8

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPET" "8" "November 2019" "Puppet, Inc." "Puppet manual"
+.TH "PUPPET" "8" "January 2020" "Puppet, Inc." "Puppet manual"
 .
 .SH "NAME"
 \fBpuppet\fR
@@ -25,4 +25,4 @@ Specialized:
 catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. plugin Interact with the Puppet plugin system\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
 .
 .P
-See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v6\.11\.0
+See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v6\.12\.0

data/spec/fixtures/unit/forge/bacula.json

@@ -0,0 +1,76 @@
+{
+  "pagination": {
+    "limit": 1,
+    "offset": 0,
+    "first": "/v3/modules?limit=1&offset=0",
+    "previous": null,
+    "current": "/v3/modules?limit=1&offset=0",
+    "next": null,
+    "total": 1832
+  },
+  "results": [
+    {
+      "uri": "/v3/modules/puppetlabs-bacula",
+      "name": "bacula",
+      "downloads": 640274,
+      "created_at": "2011-05-24 18:34:58 -0700",
+      "updated_at": "2013-12-03 15:24:20 -0800",
+      "owner": {
+        "uri": "/v3/users/puppetlabs",
+        "username": "puppetlabs",
+        "gravatar_id": "fdd009b7c1ec96e088b389f773e87aec"
+      },
+      "current_release": {
+        "uri": "/v3/releases/puppetlabs-bacula-0.0.2",
+        "module": {
+          "uri": "/v3/modules/puppetlabs-bacula",
+          "name": "bacula",
+          "owner": {
+            "uri": "/v3/users/puppetlabs",
+            "username": "puppetlabs",
+            "gravatar_id": "fdd009b7c1ec96e088b389f773e87aec"
+          }
+        },
+        "version": "0.0.2",
+        "metadata": {
+          "types": [],
+          "license": "Apache 2.0",
+          "checksums": { },
+          "version": "0.0.2",
+          "source": "git://github.com/puppetlabs/puppetlabs-bacula.git",
+          "project_page": "https://github.com/puppetlabs/puppetlabs-bacula",
+          "summary": "bacula",
+          "dependencies": [ ],
+          "author": "puppetlabs",
+          "name": "puppetlabs-bacula"
+        },
+        "tags": [
+          "backup",
+          "bacula"
+        ],
+        "file_uri": "/v3/files/puppetlabs-bacula-0.0.2.tar.gz",
+        "file_size": 67586,
+        "file_md5": "bbf919d7ee9d278d2facf39c25578bf8",
+        "downloads": 565041,
+        "readme": "",
+        "changelog": "",
+        "license": "",
+        "created_at": "2013-05-13 08:31:19 -0700",
+        "updated_at": "2013-05-13 08:31:19 -0700",
+        "deleted_at": null
+      },
+      "releases": [
+        {
+          "uri": "/v3/releases/puppetlabs-bacula-0.0.2",
+          "version": "0.0.2"
+        },
+        {
+          "uri": "/v3/releases/puppetlabs-bacula-0.0.1",
+          "version": "0.0.1"
+        }
+      ],
+      "homepage_url": "https://github.com/puppetlabs/puppetlabs-bacula",
+      "issues_url": "https://projects.puppetlabs.com/projects/bacula/issues"
+    }
+  ]
+}

data/spec/integration/http/client_spec.rb

@@ -0,0 +1,144 @@
+require 'spec_helper'
+require 'puppet_spec/https'
+require 'puppet_spec/files'
+
+describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
+  include PuppetSpec::Files
+
+  before :all do
+    WebMock.disable!
+  end
+
+  after :all do
+    WebMock.enable!
+  end
+
+  before :each do
+    # make sure we don't take too long
+    Puppet[:http_connect_timeout] = '5s'
+  end
+
+  let(:hostname) { '127.0.0.1' }
+  let(:wrong_hostname) { 'localhost' }
+  let(:server) { PuppetSpec::HTTPSServer.new }
+  let(:client) { Puppet::HTTP::Client.new }
+  let(:ssl_provider) { Puppet::SSL::SSLProvider.new }
+  let(:root_context) { ssl_provider.create_root_context(cacerts: [server.ca_cert], crls: [server.ca_crl]) }
+
+  context "when verifying an HTTPS server" do
+    it "connects over SSL" do
+      server.start_server do |port|
+        res = client.get(URI("https://127.0.0.1:#{port}"), ssl_context: root_context)
+        expect(res).to be_success
+      end
+    end
+
+    it "raises connection error if we can't connect" do
+      Puppet[:http_connect_timeout] = '0s'
+
+      # get available port, but don't bind to it
+      tcps = TCPServer.new("127.0.0.1", 0)
+      port = tcps.connect_address.ip_port
+
+      expect {
+        client.get(URI("https://127.0.0.1:#{port}"), ssl_context: root_context)
+      }.to raise_error(Puppet::HTTP::ConnectionError, %r{^Request to https://127.0.0.1:#{port} timed out connect operation after .* seconds})
+    end
+
+    it "raises if the server's cert doesn't match the hostname we connected to" do
+      server.start_server do |port|
+        expect {
+          client.get(URI("https://#{wrong_hostname}:#{port}"), ssl_context: root_context)
+        }.to raise_error { |err|
+          expect(err).to be_instance_of(Puppet::SSL::CertMismatchError)
+          expect(err.message).to match(/Server hostname '#{wrong_hostname}' did not match server certificate; expected one of (.+)/)
+
+          md = err.message.match(/expected one of (.+)/)
+          expect(md[1].split(', ')).to contain_exactly('127.0.0.1', 'DNS:127.0.0.1', 'DNS:127.0.0.2')
+        }
+      end
+    end
+
+    it "raises if the server's CA is unknown" do
+      wrong_ca = cert_fixture('netlock-arany-utf8.pem')
+      alt_context = ssl_provider.create_root_context(cacerts: [wrong_ca], revocation: false)
+
+      server.start_server do |port|
+        expect {
+          client.get(URI("https://127.0.0.1:#{port}"), ssl_context: alt_context)
+        }.to raise_error(Puppet::SSL::CertVerifyError,
+                         %r{certificate verify failed.* .self signed certificate in certificate chain for CN=Test CA.})
+      end
+    end
+
+    it "prints TLS protocol and ciphersuite in debug" do
+      Puppet[:log_level] = 'debug'
+      server.start_server do |port|
+        client.get(URI("https://127.0.0.1:#{port}"), ssl_context: root_context)
+        # TLS version string can be TLSv1 or TLSv1.[1-3], but not TLSv1.0
+        expect(@logs).to include(
+          an_object_having_attributes(level: :debug, message: /Using TLSv1(\.[1-3])? with cipher .*/),
+        )
+      end
+    end
+  end
+
+  context "with client certs" do
+    let(:ctx_proc) {
+      -> ctx {
+        # configures the server to require the client to present a client cert
+        ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+      }
+    }
+
+    it "mutually authenticates the connection" do
+      client_context = ssl_provider.create_context(
+        cacerts: [server.ca_cert], crls: [server.ca_crl],
+        client_cert: server.server_cert, private_key: server.server_key
+      )
+
+      server.start_server(ctx_proc: ctx_proc) do |port|
+        res = client.get(URI("https://127.0.0.1:#{port}"), ssl_context: client_context)
+        expect(res).to be_success
+      end
+    end
+  end
+
+  context "with a system trust store" do
+    it "connects when the client trusts the server's CA" do
+      system_context = ssl_provider.create_system_context(cacerts: [server.ca_cert])
+
+      server.start_server do |port|
+        res = client.get(URI("https://127.0.0.1:#{port}"), ssl_context: system_context)
+        expect(res).to be_success
+      end
+    end
+
+    it "connects when the server's CA is in the system store" do
+      # create a temp cacert bundle
+      ssl_file = tmpfile('systemstore')
+      File.write(ssl_file, server.ca_cert)
+
+      # override path to system cacert bundle, this must be done before
+      # the SSLContext is created and the call to X509::Store.set_default_paths
+      Puppet::Util.withenv("SSL_CERT_FILE" => ssl_file) do
+        system_context = ssl_provider.create_system_context(cacerts: [])
+        server.start_server do |port|
+          res = client.get(URI("https://127.0.0.1:#{port}"), ssl_context: system_context)
+          expect(res).to be_success
+        end
+      end
+    end
+
+    it "raises if the server's CA is not in the context or system store" do
+      system_context = ssl_provider.create_system_context(cacerts: [cert_fixture('netlock-arany-utf8.pem')])
+
+      server.start_server do |port|
+        expect {
+          client.get(URI("https://127.0.0.1:#{port}"), ssl_context: system_context)
+        }.to raise_error(Puppet::SSL::CertVerifyError,
+                         %r{certificate verify failed.* .self signed certificate in certificate chain for CN=Test CA.})
+      end
+    end
+  end
+end