puppet 6.4.0-x64-mingw32 → 6.4.1-x64-mingw32

data/lib/puppet/ssl.rb

@@ -3,7 +3,7 @@ require 'puppet'
 require 'openssl'
 
 module Puppet::SSL # :nodoc:
-  CA_NAME = "ca"
+  CA_NAME = "ca".freeze
   require 'puppet/ssl/host'
   require 'puppet/ssl/oids'
   require 'puppet/ssl/validator'

data/lib/puppet/ssl/certificate.rb

@@ -39,7 +39,7 @@ DOC
   # This name is what gets extracted from the subject before being passed
   # to the constructor, so it's not downcased
   def unmunged_name
-    self.class.name_from_subject(content.subject)
+    self.class.name_from_subject(content.subject.to_utf8)
   end
 
   # Any extensions registered with custom OIDs as defined in module

data/lib/puppet/ssl/error.rb

@@ -12,7 +12,7 @@ module Puppet::SSL
 
   class CertMismatchError < Puppet::SSL::SSLError
     def initialize(peer_cert, host)
-      valid_certnames = [peer_cert.subject.to_s.sub(/.*=/, ''),
+      valid_certnames = [peer_cert.subject.to_utf8.sub(/.*=/, ''),
                          *Puppet::SSL::Certificate.subject_alt_names_for(peer_cert)].uniq
       if valid_certnames.size > 1
         expected_certnames = _("expected one of %{certnames}") % { certnames: valid_certnames.join(', ') }

data/lib/puppet/ssl/host.rb

@@ -213,53 +213,6 @@ ERROR_STRING
     generate_certificate_request unless existing_request
   end
 
-  # Generate a keypair, generate a CSR, and submit it. If a local key pair
-  # already exists it will be used to generate the CSR. If a local CSR already
-  # exists and matches the key then the existing CSR will be submitted. If the
-  # CSR and key do not match an exception will be raised.
-  #
-  # @return [Puppet::SSL::CertificateRequest, nil]
-  def submit_request
-    generate_key unless key
-
-    csr = load_certificate_request_from_file
-    if csr
-      if key.content.public_key.to_s != csr.content.public_key.to_s
-        Puppet.warning("The local CSR does not match the agent's public key. Generating a new CSR.")
-
-        request_path = certificate_request_location(name)
-        Puppet::FileSystem.unlink(request_path)
-        csr = nil
-      end
-    end
-
-    if csr
-      validate_csr_with_key(csr, key)
-      submit_certificate_request(csr)
-      @certificate_request = csr
-    else
-      generate_certificate_request
-    end
-
-    @certificate_request
-  end
-
-  def validate_local_csr_with_key(csr, key)
-    if key.content.public_key.to_s != csr.content.public_key.to_s
-      raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: csr.fingerprint, csr_public_key: csr.content.public_key.to_text, agent_public_key: key.content.public_key.to_text, clean_params: clean_params, puppet_params: puppet_params }
-The local CSR does not match the agent's public key.
-CSR fingerprint: %{fingerprint}
-CSR public key: %{csr_public_key}
-Agent public key: %{agent_public_key}
-To fix this, remove the CSR from the agent and then start a puppet run, which will automatically regenerate a CSR.
-On the agent:
-  1. puppet ssl clean %{clean_params}
-  2. puppet %{puppet_params}
-ERROR_STRING
-    end
-  end
-  private :validate_local_csr_with_key
-
   def validate_csr_with_key(csr, key)
     if key.content.public_key.to_s != csr.content.public_key.to_s
       raise Puppet::Error, _(<<ERROR_STRING) % { fingerprint: csr.fingerprint, csr_public_key: csr.content.public_key.to_text, agent_public_key: key.content.public_key.to_text, cert_name: Puppet[:certname], clean_params: clean_params, puppet_params: puppet_params }

data/lib/puppet/ssl/ssl_provider.rb

@@ -153,11 +153,11 @@ class Puppet::SSL::SSLProvider
   end
 
   def subject(x509)
-    x509.subject.to_s
+    x509.subject.to_utf8
   end
 
   def issuer(x509)
-    x509.issuer.to_s
+    x509.issuer.to_utf8
   end
 
   def revocation_mode(mode)

data/lib/puppet/ssl/state_machine.rb

@@ -11,8 +11,6 @@ require 'puppet/ssl'
 #
 # @private
 class Puppet::SSL::StateMachine
-  CA_NAME = 'ca'.freeze
-
   class SSLState
     attr_reader :ssl_context
 
@@ -39,7 +37,7 @@ class Puppet::SSL::StateMachine
       if cacerts
         next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
       else
-        pem = Puppet::Rest::Routes.get_certificate(CA_NAME, @ssl_context)
+        pem = Puppet::Rest::Routes.get_certificate(Puppet::SSL::CA_NAME, @ssl_context)
         cacerts = @cert_provider.load_cacerts_from_pem(pem)
         # verify cacerts before saving
         next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
@@ -72,7 +70,7 @@ class Puppet::SSL::StateMachine
         if crls
           next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
         else
-          pem = Puppet::Rest::Routes.get_crls(CA_NAME, @ssl_context)
+          pem = Puppet::Rest::Routes.get_crls(Puppet::SSL::CA_NAME, @ssl_context)
           crls = @cert_provider.load_crls_from_pem(pem)
           # verify crls before saving
           next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
@@ -100,6 +98,8 @@ class Puppet::SSL::StateMachine
   #
   class NeedKey < SSLState
     def next_state
+      Puppet.debug(_("Loading/generating private key"))
+
       key = @cert_provider.load_private_key(Puppet[:certname])
       if key
         cert = @cert_provider.load_client_cert(Puppet[:certname])
@@ -138,6 +138,8 @@ class Puppet::SSL::StateMachine
   #
   class NeedSubmitCSR < KeySSLState
     def next_state
+      Puppet.debug(_("Generating and submitting a CSR"))
+
       csr = @cert_provider.create_request(Puppet[:certname], @private_key)
       Puppet::Rest::Routes.put_certificate_request(csr.to_pem, Puppet[:certname], @ssl_context)
       @cert_provider.save_request(Puppet[:certname], csr)
@@ -155,6 +157,8 @@ class Puppet::SSL::StateMachine
   #
   class NeedCert < KeySSLState
     def next_state
+      Puppet.debug(_("Downloading client certificate"))
+
       cert = OpenSSL::X509::Certificate.new(
         Puppet::Rest::Routes.get_certificate(Puppet[:certname], @ssl_context)
       )
@@ -186,11 +190,13 @@ class Puppet::SSL::StateMachine
   #
   class Wait < SSLState
     def next_state
-      time = @machine.onetime ? 0 : @machine.waitforcert
+      time = @machine.waitforcert
       if time < 1
-        puts _("Exiting; no certificate found and waitforcert is disabled")
+        puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the waitforcert setting is set to 0.") % { name: Puppet[:certname] }
         exit(1)
       else
+        Puppet.info(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Will try again in %{time} seconds.") % {name: Puppet[:certname], time: time})
+
         sleep(time)
 
         # our ssl directory may have been cleaned while we were
@@ -205,10 +211,9 @@ class Puppet::SSL::StateMachine
   #
   class Done < SSLState; end
 
-  attr_reader :onetime, :waitforcert
+  attr_reader :waitforcert
 
-  def initialize(onetime: Puppet[:onetime], waitforcert: Puppet[:waitforcert])
-    @onetime = onetime
+  def initialize(waitforcert: Puppet[:waitforcert])
     @waitforcert = waitforcert
   end
 
@@ -233,9 +238,9 @@ class Puppet::SSL::StateMachine
       chain.reverse.each_with_index do |cert, i|
         digest = Puppet::SSL::Digest.new('SHA256', cert.to_der)
         if i == chain.length - 1
-          Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_s, digest: digest})
+          Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
         else
-          Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_s, digest: digest})
+          Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
         end
       end
     end
@@ -247,15 +252,9 @@ class Puppet::SSL::StateMachine
 
   def run_machine(state, stop)
     loop do
-      Puppet.debug("Current SSL state #{state_name(state)}")
-
       state = state.next_state
 
       return state if state.is_a?(stop)
     end
   end
-
-  def state_name(state)
-    state.class.to_s.split('::').last
-  end
 end

data/lib/puppet/ssl/validator/default_validator.rb

@@ -88,13 +88,13 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
             Puppet.debug("Ignoring CRL not yet valid, current time #{Time.now.utc}, CRL last updated #{crl.last_update.utc}")
             preverify_ok = true
           else
-            @verify_errors << "#{error_string} for #{crl.issuer}"
+            @verify_errors << "#{error_string} for #{crl.issuer.to_utf8}"
           end
         else
           @verify_errors << error_string
         end
       else
-        @verify_errors << "#{error_string} for #{current_cert.subject}"
+        @verify_errors << "#{error_string} for #{current_cert.subject.to_utf8}"
       end
     end
     preverify_ok
@@ -156,8 +156,8 @@ class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
     if not has_authz_peer_cert(descending_cert_chain, authz_ca_certs)
       msg = "The server presented a SSL certificate chain which does not include a " <<
         "CA listed in the ssl_client_ca_auth file.  "
-      msg << "Authorized Issuers: #{authz_ca_certs.collect {|c| c.subject}.join(', ')}  " <<
-        "Peer Chain: #{descending_cert_chain.collect {|c| c.subject}.join(' => ')}"
+      msg << "Authorized Issuers: #{authz_ca_certs.collect {|c| c.subject.to_utf8}.join(', ')}  " <<
+        "Peer Chain: #{descending_cert_chain.collect {|c| c.subject.to_utf8}.join(' => ')}"
       @verify_errors << msg
       false
     else

data/lib/puppet/ssl/verifier.rb

@@ -126,7 +126,7 @@ class Puppet::SSL::Verifier
     # TRANSLATORS: `error` is an untranslated message from openssl describing why a certificate in the server's chain is invalid, and `subject` is the identity/name of the failed certificate
     @last_error = Puppet::SSL::CertVerifyError.new(
       _("certificate verify failed [%{error} for %{subject}]") %
-      { error: store_context.error_string, subject: peer_cert.subject },
+      { error: store_context.error_string, subject: peer_cert.subject.to_utf8 },
       store_context.error, peer_cert
     )
     false

data/lib/puppet/transaction/event_manager.rb

@@ -155,11 +155,7 @@ class Puppet::Transaction::EventManager
     return true
   rescue => detail
     resource_error_message = _("Failed to call %{callback}: %{detail}") % { callback: callback, detail: detail }
-    resource.err resource_error_message
-    if not resource.is_a?(Puppet::Type.type(:whit))
-      add_callback_status_event(resource, callback, resource_error_message, "failure")
-    end
-
+    resource.err(resource_error_message)
     transaction.resource_status(resource).failed_to_restart = true
     transaction.resource_status(resource).fail_with_event(resource_error_message)
     resource.log_exception(detail)

data/lib/puppet/util/connection.rb

@@ -25,16 +25,17 @@ module Puppet::Util
     # @return [String] the name of the server for use in the request
     def self.determine_server(setting)
       if setting && setting != :server && Puppet.settings.set_by_config?(setting)
+        debug_once _("Selected server from the %{setting} setting: %{server}") % {setting: setting, server: Puppet.settings[setting]}
         Puppet[setting]
       else
         server = Puppet.lookup(:server) do
           if primary_server = Puppet.settings[:server_list][0]
-            debug_once('Dynamically-bound server lookup failed; using first entry')
+            #TRANSLATORS 'server_list' is the name of a setting and should not be translated
+            debug_once _("Dynamically-bound server lookup failed; using first entry from the `server_list` setting: %{server}") % {server: primary_server[0]}
             primary_server[0]
           else
             setting ||= :server
-            debug_once('Dynamically-bound server lookup failed, falling back to %{setting} setting' %
-                       {setting: setting})
+            debug_once _("Dynamically-bound server lookup failed, falling back to %{setting} setting: %{server}") % {setting: setting, server: Puppet.settings[setting]}
             Puppet.settings[setting]
           end
         end
@@ -55,20 +56,26 @@ module Puppet::Util
     def self.determine_port(port_setting, server_setting)
       if (port_setting && port_setting != :masterport && Puppet.settings.set_by_config?(port_setting)) ||
          (server_setting && server_setting != :server && Puppet.settings.set_by_config?(server_setting))
+        debug_once _("Selected port from the %{setting} setting: %{port}") % {setting: port_setting, port: Puppet.settings[port_setting].to_i}
         Puppet.settings[port_setting].to_i
       else
         port = Puppet.lookup(:serverport) do
           if primary_server = Puppet.settings[:server_list][0]
-            debug_once('Dynamically-bound port lookup failed; using first entry')
-
             # Port might not be set, so we want to fallback in that
             # case. We know we don't need to use `setting` here, since
             # the default value of every port setting is `masterport`
-            (primary_server[1] || Puppet.settings[:masterport])
+            if primary_server[1]
+              #TRANSLATORS 'server_list' is the name of a setting and should not be translated
+              debug_once _("Dynamically-bound port lookup failed; using first entry from the `server_list` setting: %{port}") % {port: primary_server[1]}
+              primary_server[1]
+            else
+              #TRANSLATORS 'masterport' is the name of a setting and should not be translated
+              debug_once _("Dynamically-bound port lookup failed; falling back to `masterport` setting: %{port}") % {port: Puppet.settings[:masterport]}
+              Puppet.settings[:masterport]
+            end
           else
             port_setting ||= :masterport
-            debug_once('Dynamically-bound port lookup failed; falling back to %{port_setting} setting' %
-                       {port_setting: port_setting})
+            debug_once _("Dynamically-bound port lookup failed; falling back to %{setting} setting: %{port}") % {setting: port_setting, port: Puppet.settings[port_setting]}
             Puppet.settings[port_setting]
           end
         end

data/lib/puppet/util/monkey_patches.rb

@@ -70,7 +70,7 @@ if Puppet::Util::Platform.windows?
           begin
             add_cert(x509)
           rescue OpenSSL::X509::StoreError
-            warn "Failed to add #{x509.subject.to_s}"
+            warn "Failed to add #{x509.subject.to_utf8}"
           end
         end
       end
@@ -80,6 +80,25 @@ if Puppet::Util::Platform.windows?
   end
 end
 
+unless OpenSSL::X509::Name.instance_methods.include?(:to_utf8)
+  class OpenSSL::X509::Name
+    # https://github.com/openssl/openssl/blob/OpenSSL_1_1_0j/include/openssl/asn1.h#L362
+    ASN1_STRFLGS_ESC_MSB = 4
+
+    FLAGS = if RUBY_PLATFORM == 'java'
+              OpenSSL::X509::Name::RFC2253
+            else
+              OpenSSL::X509::Name::RFC2253 & ~ASN1_STRFLGS_ESC_MSB
+            end
+
+    def to_utf8
+      # https://github.com/ruby/ruby/blob/v2_5_5/ext/openssl/ossl_x509name.c#L317
+      str = to_s(FLAGS)
+      str.force_encoding(Encoding::UTF_8)
+    end
+  end
+end
+
 # The Enumerable#uniq method was added in Ruby 2.4.0 (https://bugs.ruby-lang.org/issues/11090)
 # This is a backport to earlier Ruby versions.
 #

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '6.4.0'
+  PUPPETVERSION = '6.4.1'
 
   ##
   # version is a public API method intended to always provide a fast and

data/locales/puppet.pot

@@ -6,11 +6,11 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: Puppet automation framework 6.3.0-193-g0da1ea8\n"
+"Project-Id-Version: Puppet automation framework 6.4.0-81-gcb43a63\n"
 "\n"
 "Report-Msgid-Bugs-To: https://tickets.puppetlabs.com\n"
-"POT-Creation-Date: 2019-03-20 21:18+0000\n"
-"PO-Revision-Date: 2019-03-20 21:18+0000\n"
+"POT-Creation-Date: 2019-04-04 23:31+0000\n"
+"PO-Revision-Date: 2019-04-04 23:31+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: \n"
@@ -272,23 +272,23 @@ msgstr ""
 msgid "No device found in %{config}"
 msgstr ""
 
-#: ../lib/puppet/application/device.rb:281
+#: ../lib/puppet/application/device.rb:297
 msgid "retrieving resource: %{resource} from %{target} at %{scheme}%{url_host}%{port}%{url_path}"
 msgstr ""
 
-#: ../lib/puppet/application/device.rb:296
+#: ../lib/puppet/application/device.rb:312
 msgid "retrieving facts from %{target} at %{scheme}%{url_host}%{port}%{url_path}"
 msgstr ""
 
-#: ../lib/puppet/application/device.rb:321
+#: ../lib/puppet/application/device.rb:335
 msgid "starting applying configuration to %{target} at %{scheme}%{url_host}%{port}%{url_path}"
 msgstr ""
 
-#: ../lib/puppet/application/device.rb:358 ../lib/puppet/application/resource.rb:196
+#: ../lib/puppet/application/device.rb:372 ../lib/puppet/application/resource.rb:196
 msgid "You must specify the type to display"
 msgstr ""
 
-#: ../lib/puppet/application/device.rb:359 ../lib/puppet/application/resource.rb:197
+#: ../lib/puppet/application/device.rb:373 ../lib/puppet/application/resource.rb:197
 msgid "Could not find type %{type}"
 msgstr ""
 
@@ -378,6 +378,17 @@ msgstr ""
 msgid "Cancelling"
 msgstr ""
 
+#. TRANSLATORS 'server_list' is the name of a setting and should not be translated
+#: ../lib/puppet/application/filebucket.rb:293
+msgid "Selected server from first entry of the `server_list` setting: %{server}:%{port}"
+msgstr ""
+
+#. TRANSLATORS 'server' is the name of a setting and should not be translated
+#. TRANSLATORS 'server' is the name of a setting and should not be translated
+#: ../lib/puppet/application/filebucket.rb:300 ../lib/puppet/indirector/request.rb:215
+msgid "Selected server from the `server` setting: %{server}"
+msgstr ""
+
 #: ../lib/puppet/application/lookup.rb:8
 msgid "Run 'puppet lookup --help' for more details"
 msgstr ""
@@ -548,67 +559,69 @@ msgstr ""
 msgid "Could not select a functional puppet master from server_list: '%{server_list}'"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:232
-msgid "Selected puppet server: %{server}:%{port}"
+#. TRANSLATORS 'server_list' is the name of a setting and should not be translated
+#: ../lib/puppet/configurer.rb:233
+msgid "Selected puppet server from the `server_list` setting: %{server}:%{port}"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:264
+#: ../lib/puppet/configurer.rb:265
 msgid "Local environment: '%{local_env}' doesn't match the environment of the cached catalog '%{catalog_env}', switching agent to '%{catalog_env}'."
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:309
+#: ../lib/puppet/configurer.rb:310
 msgid "Local environment: '%{local_env}' doesn't match server specified node environment '%{node_env}', switching agent to '%{node_env}'."
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:314
+#: ../lib/puppet/configurer.rb:315
 msgid "Using configured environment '%{env}'"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:318
+#: ../lib/puppet/configurer.rb:319
 msgid "Unable to fetch my node definition, but the agent run will continue:"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:346
+#: ../lib/puppet/configurer.rb:347
 msgid "Not using catalog because its environment '%{catalog_env}' does not match agent specified environment '%{local_env}' and strict_environment_mode is set"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:357
+#: ../lib/puppet/configurer.rb:358
 msgid "Catalog environment didn't stabilize after %{tries} fetches, aborting run"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:359
+#: ../lib/puppet/configurer.rb:360
 msgid "Local environment: '%{local_env}' doesn't match server specified environment '%{catalog_env}', restarting agent run with environment '%{catalog_env}'"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:378
+#: ../lib/puppet/configurer.rb:379
 msgid "Failed to apply catalog: %{detail}"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:403
+#: ../lib/puppet/configurer.rb:404
 msgid "Puppet server %{host}:%{port} is unavailable: %{code} %{reason}"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:407
-msgid "Puppet server %{host}:%{port} is unreachable"
+#. TRANSLATORS 'server_list' is the name of a setting and should not be translated
+#: ../lib/puppet/configurer.rb:408
+msgid "Unable to connect to server from server_list setting: %{detail}"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:419 ../lib/puppet/face/report.rb:47
+#: ../lib/puppet/configurer.rb:420 ../lib/puppet/face/report.rb:47
 msgid "Could not send report: %{detail}"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:428
+#: ../lib/puppet/configurer.rb:429
 msgid "Could not save last run local report: %{detail}"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:440
+#: ../lib/puppet/configurer.rb:441
 msgid "Could not run command from %{setting}: %{detail}"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:458
+#: ../lib/puppet/configurer.rb:459
 msgid "Could not retrieve catalog from cache: %{detail}"
 msgstr ""
 
-#: ../lib/puppet/configurer.rb:478
+#: ../lib/puppet/configurer.rb:479
 msgid "Could not retrieve catalog from remote server: %{detail}"
 msgstr ""
 
@@ -691,15 +704,15 @@ msgid "Convert custom terminus to hiera 5 API."
 msgstr ""
 
 #. TRANSLATORS 'environment_data_provider' is a setting and should not be translated
-#: ../lib/puppet/defaults.rb:652
+#: ../lib/puppet/defaults.rb:672
 msgid "Setting 'environment_data_provider' is deprecated."
 msgstr ""
 
-#: ../lib/puppet/defaults.rb:733
+#: ../lib/puppet/defaults.rb:753
 msgid "Certificate names must be lower case"
 msgstr ""
 
-#: ../lib/puppet/defaults.rb:964 ../lib/puppet/settings/enum_setting.rb:13 ../lib/puppet/settings/symbolic_enum_setting.rb:14
+#: ../lib/puppet/defaults.rb:984 ../lib/puppet/settings/enum_setting.rb:13 ../lib/puppet/settings/symbolic_enum_setting.rb:14
 msgid "Invalid value '%{value}' for parameter %{name}. Allowed values are '%{allowed_values}'"
 msgstr ""
 
@@ -2644,19 +2657,34 @@ msgstr ""
 msgid "Server version %{version} does not accept reports in '%{format}', use `preferred_serialization_format=pson`"
 msgstr ""
 
-#: ../lib/puppet/indirector/request.rb:100
+#: ../lib/puppet/indirector/request.rb:102
 msgid "Could not find indirection '%{indirection}'"
 msgstr ""
 
-#: ../lib/puppet/indirector/request.rb:139
+#: ../lib/puppet/indirector/request.rb:141
 msgid "HTTP REST queries cannot handle values of type '%{klass}'"
 msgstr ""
 
-#: ../lib/puppet/indirector/request.rb:198
+#: ../lib/puppet/indirector/request.rb:200
 msgid "Error connecting to %{srv_server}:%{srv_port}: %{message}"
 msgstr ""
 
-#: ../lib/puppet/indirector/request.rb:249
+#. TRANSLATORS 'server_list' is the name of a setting and should not be translated
+#: ../lib/puppet/indirector/request.rb:211
+msgid "Selected server from first entry of the `server_list` setting: %{server}"
+msgstr ""
+
+#. TRANSLATORS 'server_list' is the name of a setting and should not be translated
+#: ../lib/puppet/indirector/request.rb:227
+msgid "Selected port from the first entry of the `server_list` setting: %{port}"
+msgstr ""
+
+#. TRANSLATORS 'masterport' is the name of a setting and should not be translated
+#: ../lib/puppet/indirector/request.rb:231
+msgid "Selected port from the `masterport` setting: %{port}"
+msgstr ""
+
+#: ../lib/puppet/indirector/request.rb:262
 msgid "Could not understand URL %{key}: %{detail}"
 msgstr ""
 
@@ -7684,19 +7712,7 @@ msgid ""
 "  2. puppet %{puppet_params}\n"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:249
-msgid ""
-"The local CSR does not match the agent's public key.\n"
-"CSR fingerprint: %{fingerprint}\n"
-"CSR public key: %{csr_public_key}\n"
-"Agent public key: %{agent_public_key}\n"
-"To fix this, remove the CSR from the agent and then start a puppet run, which will automatically regenerate a CSR.\n"
-"On the agent:\n"
-"  1. puppet ssl clean %{clean_params}\n"
-"  2. puppet %{puppet_params}\n"
-msgstr ""
-
-#: ../lib/puppet/ssl/host.rb:265
+#: ../lib/puppet/ssl/host.rb:218
 msgid ""
 "The CSR retrieved from the master does not match the agent's public key.\n"
 "CSR fingerprint: %{fingerprint}\n"
@@ -7710,53 +7726,53 @@ msgid ""
 "  2. puppet %{puppet_params}\n"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:319 ../lib/puppet/ssl/host.rb:340
+#: ../lib/puppet/ssl/host.rb:272 ../lib/puppet/ssl/host.rb:293
 msgid "Could not request certificate: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:321
+#: ../lib/puppet/ssl/host.rb:274
 msgid "Exiting; failed to retrieve certificate and waitforcert is disabled"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:330 ../lib/puppet/ssl/state_machine.rb:191
+#: ../lib/puppet/ssl/host.rb:283
 msgid "Exiting; no certificate found and waitforcert is disabled"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:338
+#: ../lib/puppet/ssl/host.rb:291
 msgid "Did not receive certificate"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:378
+#: ../lib/puppet/ssl/host.rb:331
 msgid "Response from the CA did not contain a valid certificate request: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:384
+#: ../lib/puppet/ssl/host.rb:337
 msgid "Could not download certificate request: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:411
+#: ../lib/puppet/ssl/host.rb:364
 msgid ""
 "Failed attempting to load CRL from %{crl_path}! The CRL below caused the error '%{error}':\n"
 "%{crl}"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:443 ../lib/puppet/ssl/state_machine.rb:91
+#: ../lib/puppet/ssl/host.rb:396 ../lib/puppet/ssl/state_machine.rb:89
 msgid "Could not download CRLs: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:473
+#: ../lib/puppet/ssl/host.rb:426
 msgid "The certificate at %{file_path} is invalid. Could not load."
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:494
+#: ../lib/puppet/ssl/host.rb:447
 msgid "Response from the CA did not contain a valid certificate for %{cert_name}."
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:498
+#: ../lib/puppet/ssl/host.rb:451
 msgid "No certificate for %{cert_name} on CA"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:501
+#: ../lib/puppet/ssl/host.rb:454
 msgid "Could not download host certificate: %{message}"
 msgstr ""
 
@@ -7852,39 +7868,59 @@ msgstr ""
 msgid "Certificate '%{subject}' failed verification (%{err}): %{err_utf8}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:52
+#: ../lib/puppet/ssl/state_machine.rb:50
 msgid "CA certificate is missing from the server"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:54
+#: ../lib/puppet/ssl/state_machine.rb:52
 msgid "Could not download CA certificate: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:89
+#: ../lib/puppet/ssl/state_machine.rb:87
 msgid "CRL is missing from the server"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:147
+#: ../lib/puppet/ssl/state_machine.rb:101
+msgid "Loading/generating private key"
+msgstr ""
+
+#: ../lib/puppet/ssl/state_machine.rb:141
+msgid "Generating and submitting a CSR"
+msgstr ""
+
+#: ../lib/puppet/ssl/state_machine.rb:149
 msgid "Failed to submit the CSR, HTTP response was %{code}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:172
-msgid "Failed to parse certificate: %{message}"
+#: ../lib/puppet/ssl/state_machine.rb:160
+msgid "Downloading client certificate"
 msgstr ""
 
 #: ../lib/puppet/ssl/state_machine.rb:176
+msgid "Failed to parse certificate: %{message}"
+msgstr ""
+
+#: ../lib/puppet/ssl/state_machine.rb:180
 msgid "Certificate for %{certname} has not been signed yet"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:178
+#: ../lib/puppet/ssl/state_machine.rb:182
 msgid "Failed to retrieve certificate for %{certname}: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:236
+#: ../lib/puppet/ssl/state_machine.rb:195
+msgid "Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the waitforcert setting is set to 0."
+msgstr ""
+
+#: ../lib/puppet/ssl/state_machine.rb:198
+msgid "Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Will try again in %{time} seconds."
+msgstr ""
+
+#: ../lib/puppet/ssl/state_machine.rb:241
 msgid "Verified client certificate '%{subject}' fingerprint %{digest}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:238
+#: ../lib/puppet/ssl/state_machine.rb:243
 msgid "Verified CA certificate '%{subject}' fingerprint %{digest}"
 msgstr ""
 
@@ -8061,7 +8097,7 @@ msgstr[1] ""
 msgid "Failed to call %{callback}: %{detail}"
 msgstr ""
 
-#: ../lib/puppet/transaction/event_manager.rb:176
+#: ../lib/puppet/transaction/event_manager.rb:172
 msgid "Would have triggered '%{callback}' from %{count} event"
 msgid_plural "Would have triggered '%{callback}' from %{count} events"
 msgstr[0] ""
@@ -8928,6 +8964,37 @@ msgstr ""
 msgid "Trollop::die can only be called after Trollop::options"
 msgstr ""
 
+#: ../lib/puppet/util/connection.rb:28
+msgid "Selected server from the %{setting} setting: %{server}"
+msgstr ""
+
+#. TRANSLATORS 'server_list' is the name of a setting and should not be translated
+#: ../lib/puppet/util/connection.rb:34
+msgid "Dynamically-bound server lookup failed; using first entry from the `server_list` setting: %{server}"
+msgstr ""
+
+#: ../lib/puppet/util/connection.rb:38
+msgid "Dynamically-bound server lookup failed, falling back to %{setting} setting: %{server}"
+msgstr ""
+
+#: ../lib/puppet/util/connection.rb:59
+msgid "Selected port from the %{setting} setting: %{port}"
+msgstr ""
+
+#. TRANSLATORS 'server_list' is the name of a setting and should not be translated
+#: ../lib/puppet/util/connection.rb:69
+msgid "Dynamically-bound port lookup failed; using first entry from the `server_list` setting: %{port}"
+msgstr ""
+
+#. TRANSLATORS 'masterport' is the name of a setting and should not be translated
+#: ../lib/puppet/util/connection.rb:73
+msgid "Dynamically-bound port lookup failed; falling back to `masterport` setting: %{port}"
+msgstr ""
+
+#: ../lib/puppet/util/connection.rb:78
+msgid "Dynamically-bound port lookup failed; falling back to %{setting} setting: %{port}"
+msgstr ""
+
 #: ../lib/puppet/util/diff.rb:28
 msgid "Cannot provide diff without the diff/lcs Ruby library"
 msgstr ""