puppet 6.4.2 → 6.4.3

data/spec/unit/provider/service/upstart_spec.rb

@@ -33,35 +33,16 @@ describe 'Puppet::Type::Service::Provider::Upstart', unless: Puppet::Util::Platf
   end
 
   context "upstart daemon existence confine" do
-    # We have a separate method here because our search for the upstart daemon
-    # confine expects it to be the last confine declared in the upstart provider.
-    # If in the future we add other confines below it or change its order, these
-    # unit tests will fail. Placing knowledge of where this confine is located
-    # in one place makes updating it less painful in case we ever need to do this.
-    def assert_upstart_daemon_existence_confine_is(expected_value)
-      # Reload our provider to evaluate the :confine block
-      provider_class = Puppet::Type.type(:service).provider(:upstart)
-
-      upstart_daemon_existence_confine = provider_class.confine_collection.instance_variable_get(:@confines)[-1]
-      expect(upstart_daemon_existence_confine.valid?).to be(expected_value)
-    end
-
     let(:initctl_version) { ['/sbin/initctl', 'version', '--quiet'] }
 
     before(:each) do
-      # Stub out /sbin/initctl
       allow(Puppet::Util).to receive(:which).with('/sbin/initctl').and_return('/sbin/initctl')
-
-      # Both of our tests are asserting the confine :true block that shells out to
-      # `initctl version --quiet`. Its expression is evaluated at provider load-time.
-      # Hence before each test, we want to reload the upstart provider so that the
-      # confine is re-evaluated.
-      Puppet::Type.type(:service).unprovide(:upstart)
     end
 
     it "should return true when the daemon is running" do
       expect(Puppet::Util::Execution).to receive(:execute).with(initctl_version, instance_of(Hash))
-      assert_upstart_daemon_existence_confine_is(true)
+
+      expect(provider_class).to be_has_initctl
     end
 
     it "should return false when the daemon is not running" do
@@ -69,7 +50,7 @@ describe 'Puppet::Type::Service::Provider::Upstart', unless: Puppet::Util::Platf
         .with(initctl_version, instance_of(Hash))
         .and_raise(Puppet::ExecutionFailure, "initctl failed!")
 
-      assert_upstart_daemon_existence_confine_is(false)
+      expect(provider_class).to_not be_has_initctl
     end
   end
 

data/spec/unit/settings/server_list_setting_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+require 'puppet/settings/server_list_setting'
+
+describe Puppet::Settings::ServerListSetting do
+
+    it "prints strings as strings" do
+      settings = Puppet::Settings.new
+      settings.define_settings(:main, neptune: {type: :server_list, desc: 'list of servers'})
+      server_list_setting = settings.setting(:neptune)
+      expect(server_list_setting.print("jupiter,mars")).to eq("jupiter,mars")
+    end
+
+    it "prints arrays as strings" do
+      settings = Puppet::Settings.new
+      settings.define_settings(:main, neptune: {type: :server_list, desc: 'list of servers'})
+      server_list_setting = settings.setting(:neptune)
+      expect(server_list_setting.print([["main", 1234],["production", 8140]])).to eq("main:1234,production:8140")
+      expect(server_list_setting.print([])).to eq("")
+    end
+
+end

data/spec/unit/ssl/state_machine_spec.rb

@@ -7,14 +7,13 @@ require 'puppet/ssl'
 describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
   include PuppetSpec::Files
 
-  before(:each) do
-    WebMock.disable_net_connect!
-
-    allow_any_instance_of(Net::HTTP).to receive(:start)
-    allow_any_instance_of(Net::HTTP).to receive(:finish)
-  end
-
+  let(:privatekeydir) { tmpdir('privatekeydir') }
+  let(:certdir) { tmpdir('certdir') }
+  let(:requestdir) { tmpdir('requestdir') }
   let(:machine) { described_class.new }
+  let(:cert_provider) { Puppet::X509::CertProvider.new(privatekeydir: privatekeydir, certdir: certdir, requestdir: requestdir) }
+  let(:ssl_provider) { Puppet::SSL::SSLProvider.new }
+  let(:machine) { described_class.new(cert_provider: cert_provider, ssl_provider: ssl_provider) }
   let(:cacert_pem) { cacert.to_pem }
   let(:cacert) { cert_fixture('ca.pem') }
   let(:cacerts) { [cacert] }
@@ -26,17 +25,21 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
   let(:private_key) { key_fixture('signed-key.pem') }
   let(:client_cert) { cert_fixture('signed.pem') }
 
+  let(:refused_message) { %r{Connection refused|No connection could be made because the target machine actively refused it} }
+
   before(:each) do
     WebMock.disable_net_connect!
 
     allow_any_instance_of(Net::HTTP).to receive(:start)
     allow_any_instance_of(Net::HTTP).to receive(:finish)
+
+    allow(Kernel).to receive(:sleep)
   end
 
   context 'when ensuring CA certs and CRLs' do
     it 'returns an SSLContext with the loaded CA certs and CRLs' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_cacerts).and_return(cacerts)
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_crls).and_return(crls)
+      allow(cert_provider).to receive(:load_cacerts).and_return(cacerts)
+      allow(cert_provider).to receive(:load_crls).and_return(crls)
 
       ssl_context = machine.ensure_ca_certificates
 
@@ -44,14 +47,56 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       expect(ssl_context[:crls]).to eq(crls)
       expect(ssl_context[:verify_peer]).to eq(true)
     end
+
+    context 'when exceptions occur' do
+      it 'raises in onetime mode' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca})
+          .to_raise(Errno::ECONNREFUSED)
+
+        machine = described_class.new(cert_provider: cert_provider, ssl_provider: ssl_provider, onetime: true)
+        expect {
+          machine.ensure_ca_certificates
+        }.to raise_error(Puppet::Error, refused_message)
+      end
+
+      it 'retries CA cert download' do
+        # allow cert to be saved to disk
+        FileUtils.mkdir_p(Puppet[:certdir])
+        allow(cert_provider).to receive(:load_crls).and_return(crls)
+
+        req = stub_request(:get, %r{puppet-ca/v1/certificate/ca})
+                .to_raise(Errno::ECONNREFUSED).then
+                .to_return(status: 200, body: cacert_pem)
+
+        machine.ensure_ca_certificates
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: refused_message))
+      end
+
+      it 'retries CRL download' do
+        # allow crl to be saved to disk
+        FileUtils.mkdir_p(Puppet[:ssldir])
+        allow(cert_provider).to receive(:load_cacerts).and_return(cacerts)
+
+        req = stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca})
+                .to_raise(Errno::ECONNREFUSED).then
+                .to_return(status: 200, body: crl_pem)
+
+        machine.ensure_ca_certificates
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: refused_message))
+      end
+    end
   end
 
   context 'when ensuring a client cert' do
     it 'returns an SSLContext with the loaded CA certs, CRLs, private key and client cert' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_cacerts).and_return(cacerts)
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_crls).and_return(crls)
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_private_key).and_return(private_key)
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_client_cert).and_return(client_cert)
+      allow(cert_provider).to receive(:load_cacerts).and_return(cacerts)
+      allow(cert_provider).to receive(:load_crls).and_return(crls)
+      allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+      allow(cert_provider).to receive(:load_client_cert).and_return(client_cert)
 
       ssl_context = machine.ensure_client_certificate
 
@@ -61,6 +106,72 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       expect(ssl_context[:private_key]).to eq(private_key)
       expect(ssl_context[:client_cert]).to eq(client_cert)
     end
+
+    context 'when exceptions occur' do
+      before :each do
+        allow(cert_provider).to receive(:load_cacerts).and_return(cacerts)
+        allow(cert_provider).to receive(:load_crls).and_return(crls)
+      end
+
+      it 'retries CSR submission' do
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow($stdout).to receive(:puts).with(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate/)
+
+        stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}})
+          .to_return(status: 200, body: client_cert.to_pem)
+        # first request raises, second succeeds
+        req = stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}})
+                .to_raise(Errno::ECONNREFUSED).then
+                .to_return(status: 200)
+
+        machine.ensure_client_certificate
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: refused_message))
+      end
+
+      it 'retries client cert download' do
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+
+        # first request raises, second succeeds
+        req = stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}})
+                .to_raise(Errno::ECONNREFUSED).then
+                .to_return(status: 200, body: client_cert.to_pem)
+        stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}}).to_return(status: 200)
+
+        machine.ensure_client_certificate
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: refused_message))
+      end
+
+      it 'retries when client cert and private key are mismatched' do
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+
+        # return mismatched cert the first time, correct cert second time
+        req = stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}})
+                .to_return(status: 200, body: cert_fixture('pluto.pem').to_pem)
+                .to_return(status: 200, body: client_cert.to_pem)
+        stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}}).to_return(status: 200)
+
+        machine.ensure_client_certificate
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: %r{The certificate for 'CN=pluto' does not match its private key}))
+      end
+
+      it 'raises in onetime mode' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}})
+          .to_raise(Errno::ECONNREFUSED)
+        stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}})
+          .to_return(status: 200)
+
+        machine = described_class.new(cert_provider: cert_provider, ssl_provider: ssl_provider, onetime: true)
+        expect {
+          machine.ensure_client_certificate
+        }.to raise_error(Puppet::Error, refused_message)
+      end
+    end
   end
 
   context 'NeedCACerts' do
@@ -71,20 +182,20 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
     end
 
     it 'transitions to NeedCRLs state' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_cacerts).and_return(cacerts)
+      allow(cert_provider).to receive(:load_cacerts).and_return(cacerts)
 
       expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::NeedCRLs)
     end
 
     it 'loads existing CA certs' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_cacerts).and_return(cacerts)
+      allow(cert_provider).to receive(:load_cacerts).and_return(cacerts)
 
       st = state.next_state
       expect(st.ssl_context[:cacerts]).to eq(cacerts)
     end
 
     it 'fetches and saves CA certs' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_cacerts).and_return(nil)
+      allow(cert_provider).to receive(:load_cacerts).and_return(nil)
       stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: cacert_pem)
 
       st = state.next_state
@@ -93,38 +204,38 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
     end
 
     it "does not verify the server's cert if there are no local CA certs" do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_cacerts).and_return(nil)
+      allow(cert_provider).to receive(:load_cacerts).and_return(nil)
       stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: cacert_pem)
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:save_cacerts)
+      allow(cert_provider).to receive(:save_cacerts)
 
       expect_any_instance_of(Net::HTTP).to receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_NONE)
 
       state.next_state
     end
 
-    it 'raises if the server returns 404' do
+    it 'returns an Error if the server returns 404' do
       stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 404)
 
-      expect {
-        state.next_state
-      }.to raise_error(Puppet::Error, /CA certificate is missing from the server/)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.message).to eq("CA certificate is missing from the server")
     end
 
-    it 'raises if there is a different error' do
+    it 'returns an Error if there is a different exception' do
       stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: [500, 'Internal Server Error'])
 
-      expect {
-        state.next_state
-      }.to raise_error(Puppet::Error, /Could not download CA certificate: Internal Server Error/)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.message).to eq("Could not download CA certificate: Internal Server Error")
     end
 
-    it 'raises if CA certs are invalid' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_cacerts).and_return(nil)
+    it 'returns an Error if CA certs are invalid' do
+      allow(cert_provider).to receive(:load_cacerts).and_return(nil)
       stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: '')
 
-      expect {
-        state.next_state
-      }.to raise_error(OpenSSL::X509::CertificateError)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.error).to be_an_instance_of(OpenSSL::X509::CertificateError)
     end
 
     it 'does not save invalid CA certs' do
@@ -148,20 +259,20 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
     end
 
     it 'transitions to NeedKey state' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_crls).and_return(crls)
+      allow(cert_provider).to receive(:load_crls).and_return(crls)
 
       expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::NeedKey)
     end
 
     it 'loads existing CRLs' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_crls).and_return(crls)
+      allow(cert_provider).to receive(:load_crls).and_return(crls)
 
       st = state.next_state
       expect(st.ssl_context[:crls]).to eq(crls)
     end
 
     it 'fetches and saves CRLs' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_crls).and_return(nil)
+      allow(cert_provider).to receive(:load_crls).and_return(nil)
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_pem)
 
       st = state.next_state
@@ -170,38 +281,38 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
     end
 
     it "verifies the server's certificate when fetching the CRL" do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_crls).and_return(nil)
+      allow(cert_provider).to receive(:load_crls).and_return(nil)
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_pem)
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:save_crls)
+      allow(cert_provider).to receive(:save_crls)
 
       expect_any_instance_of(Net::HTTP).to receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
 
       state.next_state
     end
 
-    it 'raises if the server returns 404' do
+    it 'returns an Error if the server returns 404' do
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 404)
 
-      expect {
-        state.next_state
-      }.to raise_error(Puppet::Error, /CRL is missing from the server/)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.message).to eq("CRL is missing from the server")
     end
 
-    it 'raises if there is a different error' do
+    it 'returns an Error if there is a different exception' do
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: [500, 'Internal Server Error'])
 
-      expect {
-        state.next_state
-      }.to raise_error(Puppet::Error, /Could not download CRLs: Internal Server Error/)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.message).to eq("Could not download CRLs: Internal Server Error")
     end
 
-    it 'raises if CRLs are invalid' do
-      allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_crls).and_return(nil)
+    it 'returns an Error if CRLs are invalid' do
+      allow(cert_provider).to receive(:load_crls).and_return(nil)
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: '')
 
-      expect {
-        state.next_state
-      }.to raise_error(OpenSSL::X509::CRLError)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.error).to be_an_instance_of(OpenSSL::X509::CRLError)
     end
 
     it 'does not save invalid CRLs' do
@@ -218,7 +329,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
     it 'skips CRL download when revocation is disabled' do
       Puppet[:certificate_revocation] = false
 
-      expect_any_instance_of(Puppet::X509::CertProvider).not_to receive(:load_crls)
+      expect(cert_provider).not_to receive(:load_crls)
       expect(Puppet::Rest::Routes).not_to receive(:get_crls)
 
       state.next_state
@@ -233,7 +344,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       let(:state) { Puppet::SSL::StateMachine::NeedKey.new(machine, ssl_context) }
 
       it 'loads an existing private key and passes it to the next state' do
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_private_key).and_return(private_key)
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
 
         st = state.next_state
         expect(st).to be_instance_of(Puppet::SSL::StateMachine::NeedSubmitCSR)
@@ -241,16 +352,16 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       end
 
       it 'loads a matching private key and cert' do
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_private_key).and_return(private_key)
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_client_cert).and_return(client_cert)
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow(cert_provider).to receive(:load_client_cert).and_return(client_cert)
 
         st = state.next_state
         expect(st).to be_instance_of(Puppet::SSL::StateMachine::Done)
       end
 
       it 'raises if the client cert is mismatched' do
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_private_key).and_return(private_key)
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_client_cert).and_return(cert_fixture('tampered-cert.pem'))
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow(cert_provider).to receive(:load_client_cert).and_return(cert_fixture('tampered-cert.pem'))
 
         expect {
           state.next_state
@@ -258,16 +369,17 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       end
 
       it 'generates a new private key, saves it and passes it to the next state' do
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_private_key).and_return(nil)
-        expect_any_instance_of(Puppet::X509::CertProvider).to receive(:save_private_key)
+        allow(cert_provider).to receive(:load_private_key).and_return(nil)
+        expect(cert_provider).to receive(:save_private_key)
 
         st = state.next_state
         expect(st).to be_instance_of(Puppet::SSL::StateMachine::NeedSubmitCSR)
         expect(st.private_key).to be_instance_of(OpenSSL::PKey::RSA)
+        expect(st.private_key).to be_private
       end
 
       it 'raises an error if it fails to load the key' do
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_private_key).and_raise(OpenSSL::PKey::RSAError)
+        allow(cert_provider).to receive(:load_private_key).and_raise(OpenSSL::PKey::RSAError)
 
         expect {
           state.next_state
@@ -286,7 +398,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       end
 
       before :each do
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:save_request)
+        allow(cert_provider).to receive(:save_request)
       end
 
       it 'submits the CSR and transitions to NeedCert' do
@@ -298,7 +410,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       it 'saves the CSR and transitions to NeedCert' do
         stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}}).to_return(status: 200)
 
-        expect_any_instance_of(Puppet::X509::CertProvider).to receive(:save_request).with(Puppet[:certname], instance_of(OpenSSL::X509::Request))
+        expect(cert_provider).to receive(:save_request).with(Puppet[:certname], instance_of(OpenSSL::X509::Request))
 
         state.next_state
       end
@@ -381,9 +493,9 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       it 'raises if the server errors' do
         stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}}).to_return(status: 500)
 
-        expect {
-          state.next_state
-        }.to raise_error(Puppet::SSL::SSLError, /Failed to submit the CSR, HTTP response was 500/)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to eq("Failed to submit the CSR, HTTP response was 500")
       end
 
       it "verifies the server's certificate when submitting the CSR" do
@@ -402,31 +514,42 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       let(:state) { Puppet::SSL::StateMachine::NeedCert.new(machine, ssl_context, private_key) }
 
       it 'transitions to Done if the cert is signed and matches our private key' do
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:save_client_cert)
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:save_request)
+        allow(cert_provider).to receive(:save_client_cert)
+        allow(cert_provider).to receive(:save_request)
 
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 200, body: client_cert.to_pem)
 
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
       end
 
-      it 'transitions to Wait if the cert does not match our private key' do
+      it "prints a message if the cert isn't signed yet" do
+        stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 404)
+
+        expect {
+          state.next_state
+        }.to output(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(#{Puppet[:certname]}\)/).to_stdout
+      end
+
+      it 'transitions to Error if the cert does not match our private key' do
         wrong_cert = cert_fixture('127.0.0.1.pem')
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 200, body: wrong_cert.to_pem)
 
-        expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::Wait)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to eq("The certificate for 'CN=127.0.0.1' does not match its private key")
       end
 
       it 'transitions to Wait if the server returns non-200' do
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 404)
 
+        allow($stdout).to receive(:puts).with(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate/)
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::Wait)
       end
 
       it "verifies the server's certificate when getting the client cert" do
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 200, body: client_cert.to_pem)
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:save_client_cert)
-        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:save_request)
+        allow(cert_provider).to receive(:save_client_cert)
+        allow(cert_provider).to receive(:save_request)
 
         expect_any_instance_of(Net::HTTP).to receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
 
@@ -439,9 +562,9 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
           MIIBpDCCAQ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
         END
 
-        state.next_state
-
-        expect(@logs).to include(an_object_having_attributes(message: /Failed to parse certificate: /))
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to match(/Failed to parse certificate:/)
         expect(File).to_not exist(Puppet[:hostcert])
       end
 
@@ -449,9 +572,9 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         wrong_cert = cert_fixture('127.0.0.1.pem').to_pem
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 200, body: wrong_cert)
 
-        state.next_state
-
-        expect(@logs).to include(an_object_having_attributes(message: %r{The certificate for 'CN=127.0.0.1' does not match its private key}))
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to eq("The certificate for 'CN=127.0.0.1' does not match its private key")
         expect(File).to_not exist(Puppet[:hostcert])
       end
 
@@ -459,9 +582,9 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         revoked_cert = cert_fixture('revoked.pem').to_pem
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 200, body: revoked_cert)
 
-        state.next_state
-
-        expect(@logs).to include(an_object_having_attributes(message: %r{Certificate 'CN=revoked' is revoked}))
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to eq("Certificate 'CN=revoked' is revoked")
         expect(File).to_not exist(Puppet[:hostcert])
       end
     end
@@ -474,18 +597,18 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
 
         expect {
           expect {
-            Puppet::SSL::StateMachine::Wait.new(machine, ssl_context).next_state
+            Puppet::SSL::StateMachine::Wait.new(machine).next_state
           }.to exit_with(1)
-        }.to output(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(.*\). Exiting now because the waitforcert setting is set to 0./).to_stdout
+        }.to output(/Exiting now because the waitforcert setting is set to 0./).to_stdout
       end
 
       it 'sleeps and transitions to NeedCACerts' do
         machine = described_class.new(waitforcert: 15)
 
-        state = Puppet::SSL::StateMachine::Wait.new(machine, ssl_context)
-        expect(state).to receive(:sleep).with(15)
+        state = Puppet::SSL::StateMachine::Wait.new(machine)
+        expect(Kernel).to receive(:sleep).with(15)
 
-        expect(Puppet).to receive(:info).with(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(.*\). Will try again in 15 seconds./)
+        expect(Puppet).to receive(:info).with(/Will try again in 15 seconds./)
 
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::NeedCACerts)
       end