puppet 6.5.0 → 6.6.0

data/man/man5/puppet.conf.5

@@ -889,7 +889,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
 The HTTP User\-Agent string to send when making network requests\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: Puppet/6\.5\.0 Ruby/2\.4\.1\-p111 (x86_64\-linux)
+\fIDefault\fR: Puppet/6\.6\.0 Ruby/2\.4\.1\-p111 (x86_64\-linux)
 .
 .IP "" 0
 .

data/man/man8/puppet.8

@@ -25,4 +25,4 @@ Specialized:
 catalog Compile, save, view, and convert catalogs\. describe Display help about resource types device Manage remote network devices doc Generate Puppet references epp Interact directly with the EPP template parser/renderer\. facts Retrieve and store facts\. filebucket Store and retrieve files in a filebucket generate Generates Puppet code from Ruby definitions\. node View and manage node definitions\. parser Interact directly with the parser\. script Run a puppet manifests as a script without compiling a catalog ssl Manage SSL keys and certificates for puppet SSL clients
 .
 .P
-See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v6\.5\.0
+See \'puppet help \fIsubcommand\fR \fIaction\fR\' for help on a specific subcommand action\. See \'puppet help \fIsubcommand\fR\' for help on a specific subcommand\. Puppet v6\.6\.0

data/spec/unit/application/agent_spec.rb

@@ -7,6 +7,8 @@ require 'puppet/daemon'
 describe Puppet::Application::Agent do
   include PuppetSpec::Files
 
+  let(:machine) { double(ensure_client_certificate: nil) }
+
   before :each do
     @puppetd = Puppet::Application[:agent]
 
@@ -27,8 +29,6 @@ describe Puppet::Application::Agent do
     allow(Puppet::Node.indirection).to receive(:cache_class=)
     allow(Puppet::Node::Facts.indirection).to receive(:terminus_class=)
 
-    expect($stderr).not_to receive(:puts)
-
     allow(Puppet.settings).to receive(:use)
   end
 
@@ -125,7 +125,7 @@ describe Puppet::Application::Agent do
       allow(@agent).to receive(:run).and_return(2)
       Puppet[:onetime] = true
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 0).and_return(double(ensure_client_certificate: nil))
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 0).and_return(machine)
 
       expect { execute_agent }.to exit_with 0
     end
@@ -135,13 +135,20 @@ describe Puppet::Application::Agent do
       Puppet[:onetime] = true
       @puppetd.handle_waitforcert(60)
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 60).and_return(double(ensure_client_certificate: nil))
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 60).and_return(machine)
 
       expect { execute_agent }.to exit_with 0
     end
 
     it "should use a default value for waitforcert when --onetime and --waitforcert are not specified" do
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 120).and_return(machine)
+
+      execute_agent
+    end
+
+    it "should register ssl OIDs" do
       expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 120).and_return(double(ensure_client_certificate: nil))
+      expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
 
       execute_agent
     end
@@ -149,7 +156,7 @@ describe Puppet::Application::Agent do
     it "should use the waitforcert setting when checking for a signed certificate" do
       Puppet[:waitforcert] = 10
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 10).and_return(double(ensure_client_certificate: nil))
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 10).and_return(machine)
 
       execute_agent
     end
@@ -386,7 +393,7 @@ describe Puppet::Application::Agent do
     it "should inform the daemon about our agent if :client is set to 'true'" do
       @puppetd.options[:client] = true
 
-      allow(Puppet::SSL::StateMachine).to receive(:new).and_return(double(ensure_client_certificate: nil))
+      allow(Puppet::SSL::StateMachine).to receive(:new).and_return(machine)
 
       execute_agent
 
@@ -398,7 +405,7 @@ describe Puppet::Application::Agent do
       Puppet[:daemonize] = true
       allow(Signal).to receive(:trap)
 
-      allow(Puppet::SSL::StateMachine).to receive(:new).and_return(double(ensure_client_certificate: nil))
+      allow(Puppet::SSL::StateMachine).to receive(:new).and_return(machine)
 
       expect(@daemon).to receive(:daemonize)
 
@@ -408,22 +415,7 @@ describe Puppet::Application::Agent do
     it "should wait for a certificate" do
       @puppetd.options[:waitforcert] = 123
 
-      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 123).and_return(double(ensure_client_certificate: nil))
-
-      execute_agent
-    end
-
-    it "should not wait for a certificate in fingerprint mode" do
-      @puppetd.options[:fingerprint] = true
-      @puppetd.options[:waitforcert] = 123
-      @puppetd.options[:digest] = 'MD5'
-
-      certificate = double('certificate')
-      allow(certificate).to receive(:to_der).and_return('ABCDE')
-      ssl_context = double('ssl_context', client_cert: certificate)
-      allow(Puppet::SSL::StateMachine).to receive(:new).with(onetime: true).and_return(double(ensure_client_certificate: ssl_context))
-
-      expect(@puppetd).to receive(:puts).with('(MD5) 2E:CD:DE:39:59:05:1D:91:3F:61:B1:45:79:EA:13:6D')
+      expect(Puppet::SSL::StateMachine).to receive(:new).with(waitforcert: 123).and_return(machine)
 
       execute_agent
     end
@@ -478,7 +470,7 @@ describe Puppet::Application::Agent do
 
     it "should dispatch to onetime if --onetime is used" do
       Puppet[:onetime] = true
-      allow(Puppet::SSL::StateMachine).to receive(:new).and_return(double(ensure_client_certificate: nil))
+      allow(Puppet::SSL::StateMachine).to receive(:new).and_return(machine)
 
       expect(@puppetd).to receive(:onetime)
 
@@ -487,7 +479,7 @@ describe Puppet::Application::Agent do
 
     it "should dispatch to main if --onetime and --fingerprint are not used" do
       Puppet[:onetime] = false
-      allow(Puppet::SSL::StateMachine).to receive(:new).and_return(double(ensure_client_certificate: nil))
+      allow(Puppet::SSL::StateMachine).to receive(:new).and_return(machine)
 
       expect(@puppetd).to receive(:main)
 
@@ -501,7 +493,7 @@ describe Puppet::Application::Agent do
         @puppetd.options[:client] = :client
         @puppetd.options[:detailed_exitcodes] = false
 
-        allow(Puppet::SSL::StateMachine).to receive(:new).and_return(double(ensure_client_certificate: nil))
+        allow(Puppet::SSL::StateMachine).to receive(:new).and_return(machine)
       end
 
       it "should setup traps" do
@@ -552,26 +544,55 @@ describe Puppet::Application::Agent do
 
     describe "with --fingerprint" do
       before :each do
-        @cert = double('cert')
         @puppetd.options[:fingerprint] = true
         @puppetd.options[:digest] = :MD5
       end
 
       it "should fingerprint the certificate if it exists" do
-        allow(@cert).to receive(:to_der).and_return('ABCDE')
-        ssl_context = double('ssl_context', client_cert: @cert)
-        allow(Puppet::SSL::StateMachine).to receive(:new).with(onetime: true).and_return(double(ensure_client_certificate: ssl_context))
+        cert = cert_fixture('signed.pem')
+        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_client_cert).and_return(cert)
 
-        expect(@puppetd).to receive(:puts).with('(MD5) 2E:CD:DE:39:59:05:1D:91:3F:61:B1:45:79:EA:13:6D')
+        expect(@puppetd).to receive(:puts).with('(MD5) E2:BA:9A:EF:20:A8:7D:10:8D:82:9A:61:5D:FD:5B:33')
 
         @puppetd.fingerprint
       end
+
+      it "should fingerprint the request if it exists" do
+        request = request_fixture('request.pem')
+        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_client_cert).and_return(nil)
+        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_request).and_return(request)
+
+        expect(@puppetd).to receive(:puts).with('(MD5) B8:4C:FB:31:AE:17:86:E3:AD:53:97:CA:F6:3C:4A:CB')
+
+        @puppetd.fingerprint
+      end
+
+      it "should print an error to stderr if neither exist" do
+        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_client_cert).and_return(nil)
+        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_request).and_return(nil)
+
+        expect {
+          expect {
+            @puppetd.fingerprint
+          }.to exit_with(1)
+        }.to output(/Fingerprint asked but neither the certificate, nor the certificate request have been issued/).to_stderr
+      end
+
+      it "should log an error if an exception occurs" do
+        allow_any_instance_of(Puppet::X509::CertProvider).to receive(:load_client_cert).and_raise(Puppet::Error, "Invalid PEM")
+
+        expect {
+          @puppetd.fingerprint
+        }.to exit_with(1)
+
+        expect(@logs).to include(an_object_having_attributes(message: /Failed to generate fingerprint: Invalid PEM/))
+      end
     end
 
     describe "without --onetime and --fingerprint" do
       before :each do
         allow(Puppet).to receive(:notice)
-        allow(Puppet::SSL::StateMachine).to receive(:new).and_return(double(ensure_client_certificate: nil))
+        allow(Puppet::SSL::StateMachine).to receive(:new).and_return(machine)
       end
 
       it "should start our daemon" do

data/spec/unit/application/ssl_spec.rb

@@ -125,6 +125,11 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
     end
 
+    it 'registers OIDs' do
+      expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
+      expects_command_to_fail(%r{Failed to submit certificate request})
+    end
+
     it 'submits the CSR and saves it locally' do
       stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
       stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
@@ -401,6 +406,14 @@ describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
       ssl.command_line.args << 'bootstrap'
     end
 
+    it 'registers the OIDs' do
+      expect_any_instance_of(Puppet::SSL::StateMachine).to receive(:ensure_client_certificate).and_return(
+        double('ssl_context')
+      )
+      expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
+      expects_command_to_pass
+    end
+
     it 'returns an SSLContext with the loaded CA certs, CRLs, private key and client cert' do
       expect_any_instance_of(Puppet::SSL::StateMachine).to receive(:ensure_client_certificate).and_return(
         double('ssl_context')

data/spec/unit/configurer_spec.rb

@@ -1005,7 +1005,7 @@ describe Puppet::Configurer do
       @agent.run :catalog => catalog
     end
 
-    it "should select a server when provided" do
+    it "should select a server when it receives 200 OK response" do
       Puppet.settings[:server_list] = ["myserver:123"]
       response = Net::HTTPOK.new(nil, 200, 'OK')
       allow(Puppet::Network::HttpPool).to receive(:connection).with('myserver', 123, anything).and_return(double('request', get: response))

data/spec/unit/provider/package/pip_spec.rb

@@ -145,7 +145,7 @@ describe Puppet::Type.type(:package).provider(:pip) do
   context "latest" do
     context "with pip version < 1.5.4" do
       before :each do
-        allow(@provider).to receive(:pip_version).with("/fake/bin/pip").and_return('1.0.1')
+        allow(described_class).to receive(:pip_version).with("/fake/bin/pip").and_return('1.0.1')
         allow(described_class).to receive(:which).with('pip').and_return("/fake/bin/pip")
         allow(described_class).to receive(:which).with('pip-python').and_return("/fake/bin/pip")
         allow(described_class).to receive(:which).with('pip.exe').and_return("/fake/bin/pip")
@@ -203,12 +203,12 @@ describe Puppet::Type.type(:package).provider(:pip) do
       # For Pip 1.5.4 and above, you can get a version list from CLI - which allows for native pip behavior
       # with regards to custom repositories, proxies and the like
       before :each do
+        allow(described_class).to receive(:pip_version).with("/fake/bin/pip").and_return('1.5.4')
         allow(described_class).to receive(:which).with('pip').and_return("/fake/bin/pip")
         allow(described_class).to receive(:which).with('pip-python').and_return("/fake/bin/pip")
         allow(described_class).to receive(:which).with('pip.exe').and_return("/fake/bin/pip")
         allow(described_class).to receive(:provider_command).and_return('/fake/bin/pip')
         allow(described_class).to receive(:validate_command).with('/fake/bin/pip')
-        allow(@provider).to receive(:pip_version).with("/fake/bin/pip").and_return('1.5.4')
       end
 
       it "should find a version number for real_package" do

data/spec/unit/ssl/state_machine_spec.rb

@@ -7,9 +7,14 @@ require 'puppet/ssl'
 describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
   include PuppetSpec::Files
 
-  let(:cert_provider) { Puppet::X509::CertProvider.new }
+  let(:privatekeydir) { tmpdir('privatekeydir') }
+  let(:certdir) { tmpdir('certdir') }
+  let(:requestdir) { tmpdir('requestdir') }
+  let(:machine) { described_class.new }
+  let(:cert_provider) { Puppet::X509::CertProvider.new(privatekeydir: privatekeydir, certdir: certdir, requestdir: requestdir) }
   let(:ssl_provider) { Puppet::SSL::SSLProvider.new }
   let(:machine) { described_class.new(cert_provider: cert_provider, ssl_provider: ssl_provider) }
+
   let(:cacert_pem) { cacert.to_pem }
   let(:cacert) { cert_fixture('ca.pem') }
   let(:cacerts) { [cacert] }
@@ -21,6 +26,8 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
   let(:private_key) { key_fixture('signed-key.pem') }
   let(:client_cert) { cert_fixture('signed.pem') }
 
+  let(:refused_message) { %r{Connection refused|No connection could be made because the target machine actively refused it} }
+
   before(:each) do
     WebMock.disable_net_connect!
 
@@ -28,6 +35,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
     allow_any_instance_of(Net::HTTP).to receive(:finish)
 
     Puppet[:ssl_lockfile] = tmpfile('ssllock')
+    allow(Kernel).to receive(:sleep)
   end
 
   context 'when ensuring CA certs and CRLs' do
@@ -41,6 +49,48 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       expect(ssl_context[:crls]).to eq(crls)
       expect(ssl_context[:verify_peer]).to eq(true)
     end
+
+    context 'when exceptions occur' do
+      it 'raises in onetime mode' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/ca})
+          .to_raise(Errno::ECONNREFUSED)
+
+        machine = described_class.new(cert_provider: cert_provider, ssl_provider: ssl_provider, onetime: true)
+        expect {
+          machine.ensure_ca_certificates
+        }.to raise_error(Puppet::Error, refused_message)
+      end
+
+      it 'retries CA cert download' do
+        # allow cert to be saved to disk
+        FileUtils.mkdir_p(Puppet[:certdir])
+        allow(cert_provider).to receive(:load_crls).and_return(crls)
+
+        req = stub_request(:get, %r{puppet-ca/v1/certificate/ca})
+                .to_raise(Errno::ECONNREFUSED).then
+                .to_return(status: 200, body: cacert_pem)
+
+        machine.ensure_ca_certificates
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: refused_message))
+      end
+
+      it 'retries CRL download' do
+        # allow crl to be saved to disk
+        FileUtils.mkdir_p(Puppet[:ssldir])
+        allow(cert_provider).to receive(:load_cacerts).and_return(cacerts)
+
+        req = stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca})
+                .to_raise(Errno::ECONNREFUSED).then
+                .to_return(status: 200, body: crl_pem)
+
+        machine.ensure_ca_certificates
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: refused_message))
+      end
+    end
   end
 
   context 'when ensuring a client cert' do
@@ -58,6 +108,72 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       expect(ssl_context[:private_key]).to eq(private_key)
       expect(ssl_context[:client_cert]).to eq(client_cert)
     end
+
+    context 'when exceptions occur' do
+      before :each do
+        allow(cert_provider).to receive(:load_cacerts).and_return(cacerts)
+        allow(cert_provider).to receive(:load_crls).and_return(crls)
+      end
+
+      it 'retries CSR submission' do
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+        allow($stdout).to receive(:puts).with(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate/)
+
+        stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}})
+          .to_return(status: 200, body: client_cert.to_pem)
+        # first request raises, second succeeds
+        req = stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}})
+                .to_raise(Errno::ECONNREFUSED).then
+                .to_return(status: 200)
+
+        machine.ensure_client_certificate
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: refused_message))
+      end
+
+      it 'retries client cert download' do
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+
+        # first request raises, second succeeds
+        req = stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}})
+                .to_raise(Errno::ECONNREFUSED).then
+                .to_return(status: 200, body: client_cert.to_pem)
+        stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}}).to_return(status: 200)
+
+        machine.ensure_client_certificate
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: refused_message))
+      end
+
+      it 'retries when client cert and private key are mismatched' do
+        allow(cert_provider).to receive(:load_private_key).and_return(private_key)
+
+        # return mismatched cert the first time, correct cert second time
+        req = stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}})
+                .to_return(status: 200, body: cert_fixture('pluto.pem').to_pem)
+                .to_return(status: 200, body: client_cert.to_pem)
+        stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}}).to_return(status: 200)
+
+        machine.ensure_client_certificate
+
+        expect(req).to have_been_made.twice
+        expect(@logs).to include(an_object_having_attributes(message: %r{The certificate for 'CN=pluto' does not match its private key}))
+      end
+
+      it 'raises in onetime mode' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}})
+          .to_raise(Errno::ECONNREFUSED)
+        stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}})
+          .to_return(status: 200)
+
+        machine = described_class.new(cert_provider: cert_provider, ssl_provider: ssl_provider, onetime: true)
+        expect {
+          machine.ensure_client_certificate
+        }.to raise_error(Puppet::Error, refused_message)
+      end
+    end
   end
 
   context 'when locking' do
@@ -167,29 +283,29 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       state.next_state
     end
 
-    it 'raises if the server returns 404' do
+    it 'returns an Error if the server returns 404' do
       stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 404)
 
-      expect {
-        state.next_state
-      }.to raise_error(Puppet::Error, /CA certificate is missing from the server/)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.message).to eq("CA certificate is missing from the server")
     end
 
-    it 'raises if there is a different error' do
+    it 'returns an Error if there is a different exception' do
       stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: [500, 'Internal Server Error'])
 
-      expect {
-        state.next_state
-      }.to raise_error(Puppet::Error, /Could not download CA certificate: Internal Server Error/)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.message).to eq("Could not download CA certificate: Internal Server Error")
     end
 
-    it 'raises if CA certs are invalid' do
+    it 'returns an Error if CA certs are invalid' do
       allow(cert_provider).to receive(:load_cacerts).and_return(nil)
       stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: '')
 
-      expect {
-        state.next_state
-      }.to raise_error(OpenSSL::X509::CertificateError)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.error).to be_an_instance_of(OpenSSL::X509::CertificateError)
     end
 
     it 'does not save invalid CA certs' do
@@ -244,29 +360,29 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       state.next_state
     end
 
-    it 'raises if the server returns 404' do
+    it 'returns an Error if the server returns 404' do
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 404)
 
-      expect {
-        state.next_state
-      }.to raise_error(Puppet::Error, /CRL is missing from the server/)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.message).to eq("CRL is missing from the server")
     end
 
-    it 'raises if there is a different error' do
+    it 'returns an Error if there is a different exception' do
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: [500, 'Internal Server Error'])
 
-      expect {
-        state.next_state
-      }.to raise_error(Puppet::Error, /Could not download CRLs: Internal Server Error/)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.message).to eq("Could not download CRLs: Internal Server Error")
     end
 
-    it 'raises if CRLs are invalid' do
+    it 'returns an Error if CRLs are invalid' do
       allow(cert_provider).to receive(:load_crls).and_return(nil)
       stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: '')
 
-      expect {
-        state.next_state
-      }.to raise_error(OpenSSL::X509::CRLError)
+      st = state.next_state
+      expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+      expect(st.error).to be_an_instance_of(OpenSSL::X509::CRLError)
     end
 
     it 'does not save invalid CRLs' do
@@ -543,9 +659,9 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       it 'raises if the server errors' do
         stub_request(:put, %r{puppet-ca/v1/certificate_request/#{Puppet[:certname]}}).to_return(status: 500)
 
-        expect {
-          state.next_state
-        }.to raise_error(Puppet::SSL::SSLError, /Failed to submit the CSR, HTTP response was 500/)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to eq("Failed to submit the CSR, HTTP response was 500")
       end
 
       it "verifies the server's certificate when submitting the CSR" do
@@ -572,16 +688,27 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::Done)
       end
 
-      it 'transitions to Wait if the cert does not match our private key' do
+      it "prints a message if the cert isn't signed yet" do
+        stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 404)
+
+        expect {
+          state.next_state
+        }.to output(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(#{Puppet[:certname]}\)/).to_stdout
+      end
+
+      it 'transitions to Error if the cert does not match our private key' do
         wrong_cert = cert_fixture('127.0.0.1.pem')
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 200, body: wrong_cert.to_pem)
 
-        expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::Wait)
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to eq("The certificate for 'CN=127.0.0.1' does not match its private key")
       end
 
       it 'transitions to Wait if the server returns non-200' do
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 404)
 
+        allow($stdout).to receive(:puts).with(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate/)
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::Wait)
       end
 
@@ -601,9 +728,9 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
           MIIBpDCCAQ2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
         END
 
-        state.next_state
-
-        expect(@logs).to include(an_object_having_attributes(message: /Failed to parse certificate: /))
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to match(/Failed to parse certificate:/)
         expect(File).to_not exist(Puppet[:hostcert])
       end
 
@@ -611,9 +738,9 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         wrong_cert = cert_fixture('127.0.0.1.pem').to_pem
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 200, body: wrong_cert)
 
-        state.next_state
-
-        expect(@logs).to include(an_object_having_attributes(message: %r{The certificate for 'CN=127.0.0.1' does not match its private key}))
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to eq("The certificate for 'CN=127.0.0.1' does not match its private key")
         expect(File).to_not exist(Puppet[:hostcert])
       end
 
@@ -621,9 +748,9 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
         revoked_cert = cert_fixture('revoked.pem').to_pem
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 200, body: revoked_cert)
 
-        state.next_state
-
-        expect(@logs).to include(an_object_having_attributes(message: %r{Certificate 'CN=revoked' is revoked}))
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to eq("Certificate 'CN=revoked' is revoked")
         expect(File).to_not exist(Puppet[:hostcert])
       end
     end
@@ -636,18 +763,18 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
 
         expect {
           expect {
-            Puppet::SSL::StateMachine::Wait.new(machine, ssl_context).next_state
+            Puppet::SSL::StateMachine::Wait.new(machine).next_state
           }.to exit_with(1)
-        }.to output(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(.*\). Exiting now because the waitforcert setting is set to 0./).to_stdout
+        }.to output(/Exiting now because the waitforcert setting is set to 0./).to_stdout
       end
 
       it 'sleeps and transitions to NeedCACerts' do
         machine = described_class.new(waitforcert: 15)
 
-        state = Puppet::SSL::StateMachine::Wait.new(machine, ssl_context)
-        expect(state).to receive(:sleep).with(15)
+        state = Puppet::SSL::StateMachine::Wait.new(machine)
+        expect(Kernel).to receive(:sleep).with(15)
 
-        expect(Puppet).to receive(:info).with(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(.*\). Will try again in 15 seconds./)
+        expect(Puppet).to receive(:info).with(/Will try again in 15 seconds./)
 
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::NeedCACerts)
       end
@@ -655,10 +782,10 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
       it 'sleeps and transitions to NeedCACerts when maxwaitforcert is set' do
         machine = described_class.new(waitforcert: 15, maxwaitforcert: 30)
 
-        state = Puppet::SSL::StateMachine::Wait.new(machine, ssl_context)
-        expect(state).to receive(:sleep).with(15)
+        state = Puppet::SSL::StateMachine::Wait.new(machine)
+        expect(Kernel).to receive(:sleep).with(15)
 
-        expect(Puppet).to receive(:info).with(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(.*\). Will try again in 15 seconds./)
+        expect(Puppet).to receive(:info).with(/Will try again in 15 seconds./)
 
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::NeedCACerts)
       end
@@ -677,7 +804,7 @@ describe Puppet::SSL::StateMachine, unless: Puppet::Util::Platform.jruby? do
 
         expect {
           expect {
-            Puppet::SSL::StateMachine::Wait.new(machine, ssl_context).next_state
+            Puppet::SSL::StateMachine::Wait.new(machine).next_state
           }.to exit_with(1)
         }.to output(/Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate \(.*\). Exiting now because the maxwaitforcert timeout has been exceeded./).to_stdout
       end