puppet 6.5.0-x64-mingw32 → 6.6.0-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44a18b39e7823f5c624d3c2fa04d06eda5c2611ce7461b4c1d8c19ca4fae7b5e
-  data.tar.gz: 460e116b5348b75fe82a71ef6893aea6605cff34c037b8ec6d71a52188c3de0c
+  metadata.gz: 21c6ecd8f8d703ef2b0cc73ac545d1e99e2a643e8c4e107ffaf619210fbdfea1
+  data.tar.gz: 4325256fb0a2373ffe54068ca6bccd9bf0bed2d78d05ffcc88647f57fbd1f7f5
 SHA512:
-  metadata.gz: 8e092b66d4eb97d98a8ff919fd7bf8843a3042a968831e808cde707dd4304844d30e30797982234ffc8fae2f90a6bd6511c401f4d654c215cc921e464833cfb5
-  data.tar.gz: 717a9f4442168369c7c7c24d79a4889963bb4e8da999536228a6dad7fa2e3981b3fbeb013d0fdc75e98580d91d3d1fadbc1c64693bb6957707ceeacf3c2f646d
+  metadata.gz: de3c9eb3e4cdbfbbc5644b72bdec0c752f51ff419bd0b1cf6f8bac36d2451f1d988b0caa4ec487e489f2b8b1be2b08715ca3674b4fde02583eb518448feac8c1
+  data.tar.gz: d05c6ca5a4f0d2c2c848a82a2259838ca16005a531625a1fe611058d92242869f87004d60a50bb7b8584e677d21a4b44ca350b04484fd6f0fca3490dd49079e3

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    puppet (6.5.0)
+    puppet (6.6.0)
       CFPropertyList (~> 2.2)
       facter (>= 2.4.0, < 4)
       fast_gettext (~> 1.1)
@@ -47,7 +47,7 @@ GEM
     memory_profiler (0.9.13)
     method_source (0.9.2)
     minitar (0.8)
-    msgpack (1.2.10)
+    msgpack (1.3.0)
     multi_json (1.13.1)
     mustache (1.1.0)
     optimist (3.0.0)
@@ -61,8 +61,8 @@ GEM
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (3.1.0)
-    puppet-resource_api (1.8.3)
+    public_suffix (3.1.1)
+    puppet-resource_api (1.8.4)
       hocon (>= 1.0)
     puppetserver-ca (1.3.1)
       facter (>= 2.0.1, < 4)

data/lib/puppet/application/agent.rb

@@ -358,11 +358,22 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
   end
 
   def fingerprint
-    sm = Puppet::SSL::StateMachine.new(onetime: true)
-    ssl_context = sm.ensure_client_certificate
-    puts Puppet::SSL::Digest.new(options[:digest].to_s, ssl_context.client_cert.to_der).to_s
-  rescue
-    $stderr.puts _("Fingerprint asked but no certificate nor certificate request have yet been issued")
+    Puppet::Util::Log.newdestination(:console)
+    cert_provider = Puppet::X509::CertProvider.new
+    client_cert = cert_provider.load_client_cert(Puppet[:certname])
+    if client_cert
+      puts Puppet::SSL::Digest.new(options[:digest].to_s, client_cert.to_der).to_s
+    else
+      csr = cert_provider.load_request(Puppet[:certname])
+      if csr
+        puts Puppet::SSL::Digest.new(options[:digest].to_s, csr.to_der).to_s
+      else
+        $stderr.puts _("Fingerprint asked but neither the certificate, nor the certificate request have been issued")
+        exit(1)
+      end
+    end
+  rescue => e
+    Puppet.log_exception(e, _("Failed to generate fingerprint: %{message}") % {message: e.message})
     exit(1)
   end
 

data/lib/puppet/application/ssl.rb

@@ -112,6 +112,8 @@ HELP
       Puppet.settings.use(:main, :agent)
     end
 
+    Puppet::SSL::Oids.register_puppet_oids
+
     certname = Puppet[:certname]
     action = command_line.args.first
     case action

data/lib/puppet/provider/package.rb

@@ -1,3 +1,5 @@
+require 'puppet/provider'
+
 class Puppet::Provider::Package < Puppet::Provider
   # Prefetch our package list, yo.
   def self.prefetch(packages)

data/lib/puppet/provider/package/pip.rb

@@ -1,7 +1,6 @@
 # Puppet package provider for Python's `pip` package management frontend.
 # <http://pip.pypa.io/>
 
-require 'puppet/provider/package'
 require 'puppet/provider/package_targetable'
 require 'puppet/util/http_proxy'
 
@@ -114,7 +113,7 @@ Puppet::Type.type(:package).provide :pip, :parent => ::Puppet::Provider::Package
     command = resource_or_provider_command
     self.class.validate_command(command)
 
-    command_version = self.pip_version(command)
+    command_version = self.class.pip_version(command)
     if Puppet::Util::Package.versioncmp(command_version, '1.5.4') == -1
       latest_with_old_pip
     else

data/lib/puppet/provider/package/puppet_gem.rb

@@ -1,4 +1,4 @@
-require 'puppet/provider/package'
+require 'puppet/provider/package/gem'
 
 Puppet::Type.type(:package).provide :puppet_gem, :parent => :gem do
   desc "Puppet Ruby Gem support. This provider is useful for managing

data/lib/puppet/provider/package_targetable.rb

@@ -7,6 +7,8 @@
 # possibly via a `prefetchV2` method that could take a better data structure.)
 #
 # In addition, `Puppet::Provider::Package::properties` calls `query` in the provider.
+require 'puppet/provider/package'
+
 # But `query` in the provider depends upon whether a `command` attribute is defined for the resource.
 # This is a Catch-22.
 #

data/lib/puppet/ssl/host.rb

@@ -121,7 +121,7 @@ class Puppet::SSL::Host
       generate_key unless key
 
       # get CA and optional CRL
-      sm = Puppet::SSL::StateMachine.new
+      sm = Puppet::SSL::StateMachine.new(onetime: true)
       sm.ensure_ca_certificates
 
       cert = get_host_certificate

data/lib/puppet/ssl/state_machine.rb

@@ -21,6 +21,12 @@ class Puppet::SSL::StateMachine
       @cert_provider = machine.cert_provider
       @ssl_provider = machine.ssl_provider
     end
+
+    def to_error(message, cause)
+      detail = Puppet::Error.new(message)
+      detail.set_backtrace(cause.backtrace)
+      Error.new(@machine, message, detail)
+    end
   end
 
   # Load existing CA certs or download them. Transition to NeedCRLs.
@@ -46,11 +52,13 @@ class Puppet::SSL::StateMachine
       end
 
       NeedCRLs.new(@machine, next_ctx)
+    rescue OpenSSL::X509::CertificateError => e
+      Error.new(@machine, e.message, e)
     rescue Puppet::Rest::ResponseError => e
       if e.response.code.to_i == 404
-        raise Puppet::Error.new(_('CA certificate is missing from the server'))
+        to_error(_('CA certificate is missing from the server'), e)
       else
-        raise Puppet::Error.new(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
+        to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
       end
     end
   end
@@ -90,11 +98,13 @@ class Puppet::SSL::StateMachine
       end
 
       NeedKey.new(@machine, next_ctx)
+    rescue OpenSSL::X509::CRLError => e
+      Error.new(@machine, e.message, e)
     rescue Puppet::Rest::ResponseError => e
       if e.response.code.to_i == 404
-        raise Puppet::Error.new(_('CRL is missing from the server'))
+        to_error(_('CRL is missing from the server'), e)
       else
-        raise Puppet::Error.new(_('Could not download CRLs: %{message}') % { message: e.message }, e)
+        to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e)
       end
     end
 
@@ -193,11 +203,11 @@ class Puppet::SSL::StateMachine
       @cert_provider.save_request(Puppet[:certname], csr)
       NeedCert.new(@machine, @ssl_context, @private_key)
     rescue Puppet::Rest::ResponseError => e
-      if e.response.code.to_i != 400
-        raise Puppet::SSL::SSLError.new(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
+      if e.response.code.to_i == 400
+        NeedCert.new(@machine, @ssl_context, @private_key)
+      else
+        to_error(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
       end
-
-      NeedCert.new(@machine, @ssl_context, @private_key)
     end
   end
 
@@ -218,37 +228,40 @@ class Puppet::SSL::StateMachine
       @cert_provider.delete_request(Puppet[:certname])
       Done.new(@machine, next_ctx)
     rescue Puppet::SSL::SSLError => e
-      Puppet.log_exception(e)
-      Wait.new(@machine, @ssl_context)
+      Error.new(@machine, e.message, e)
     rescue OpenSSL::X509::CertificateError => e
-      Puppet.log_exception(e, _("Failed to parse certificate: %{message}") % {message: e.message})
-      Wait.new(@machine, @ssl_context)
+      Error.new(@machine, _("Failed to parse certificate: %{message}") % {message: e.message}, e)
     rescue Puppet::Rest::ResponseError => e
       if e.response.code.to_i == 404
         Puppet.info(_("Certificate for %{certname} has not been signed yet") % {certname: Puppet[:certname]})
+        $stdout.puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}).") % { name: Puppet[:certname] }
+        Wait.new(@machine)
       else
-        Puppet.log_exception(e, _("Failed to retrieve certificate for %{certname}: %{message}") %
-                             {certname: Puppet[:certname], message: e.response.message})
+        to_error(_("Failed to retrieve certificate for %{certname}: %{message}") %
+                 {certname: Puppet[:certname], message: e.response.message}, e)
       end
-      Wait.new(@machine, @ssl_context)
     end
   end
 
-  # We cannot make progress, so wait if allowed to do so, or error.
+  # We cannot make progress, so wait if allowed to do so, or exit.
   #
   class Wait < SSLState
+    def initialize(machine)
+      super(machine, nil)
+    end
+
     def next_state
       time = @machine.waitforcert
       if time < 1
-        puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the waitforcert setting is set to 0.") % { name: Puppet[:certname] }
+        puts _("Exiting now because the waitforcert setting is set to 0.")
         exit(1)
       elsif Time.now.to_i > @machine.wait_deadline
         puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] }
         exit(1)
       else
-        Puppet.info(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Will try again in %{time} seconds.") % {name: Puppet[:certname], time: time})
+        Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
 
-        sleep(time)
+        Kernel.sleep(time)
 
         # our ssl directory may have been cleaned while we were
         # sleeping, start over from the top
@@ -257,6 +270,23 @@ class Puppet::SSL::StateMachine
     end
   end
 
+  # We cannot make progress due to an error.
+  #
+  class Error < SSLState
+    attr_reader :message, :error
+
+    def initialize(machine, message, error)
+      super(machine, nil)
+      @message = message
+      @error = error
+    end
+
+    def next_state
+      Puppet.log_exception(@error, @message)
+      Wait.new(@machine)
+    end
+  end
+
   # We have a CA bundle, optional CRL bundle, a private key and matching cert
   # that chains to one of the root certs in our bundle.
   #
@@ -264,29 +294,51 @@ class Puppet::SSL::StateMachine
 
   attr_reader :waitforcert, :wait_deadline, :cert_provider, :ssl_provider
 
+  # Construct a state machine to manage the SSL initialization process. By
+  # default, if the state machine encounters an exception, it will log the
+  # exception and wait for `waitforcert` seconds and retry, restarting from the
+  # beginning of the state machine.
+  #
+  # However, if `onetime` is true, then the state machine will raise the first
+  # error it encounters, instead of waiting. Otherwise, if `waitforcert` is 0,
+  # then then state machine will exit instead of wait.
+  #
+  # @param waitforcert [Integer] how many seconds to wait between attempts
+  # @param maxwiatforcert [Integer] maximum amount of second
+  # @param onetime [Boolean] whether to run onetime
+  # @param lockfile [Puppet::Util::Pidlock] lockfile to protect against
+  #   concurrent modification by multiple processes
+  # @param cert_provider [Puppet::X509::CertProvider] cert provider to use
+  #   to load and save X509 objects.
+  # @param ssl_provider [Puppet::SSL::SSLProvider] ssl provider to use
+  #   to construct ssl contexts.
   def initialize(waitforcert: Puppet[:waitforcert],
                  maxwaitforcert: Puppet[:maxwaitforcert],
+                 onetime: Puppet[:onetime],
                  cert_provider: Puppet::X509::CertProvider.new,
                  ssl_provider: Puppet::SSL::SSLProvider.new,
                  lockfile: Puppet::Util::Pidlock.new(Puppet[:ssl_lockfile]))
     @waitforcert = waitforcert
     @wait_deadline = Time.now.to_i + maxwaitforcert
+    @onetime = onetime
     @cert_provider = cert_provider
     @ssl_provider = ssl_provider
     @lockfile = lockfile
   end
 
-  # Run the state machine for CA certs and CRLs
+  # Run the state machine for CA certs and CRLs.
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
+  # @raise [Puppet::Error] If we fail to generate an SSLContext
   def ensure_ca_certificates
     final_state = run_machine(NeedCACerts.new(self), NeedKey)
     final_state.ssl_context
   end
 
-  # Run the state machine for CA certs and CRLs
+  # Run the state machine for CA certs and CRLs.
   #
   # @return [Puppet::SSL::SSLContext] initialized SSLContext
+  # @raise [Puppet::Error] If we fail to generate an SSLContext
   def ensure_client_certificate
     final_state = run_machine(NeedCACerts.new(self), Done)
     ssl_context = final_state.ssl_context
@@ -312,9 +364,19 @@ class Puppet::SSL::StateMachine
   def run_machine(state, stop)
     with_lock do
       loop do
-        state = state.next_state
-
-        break if state.is_a?(stop)
+        state = run_step(state)
+
+        case state
+        when stop
+          break
+        when Error
+          if @onetime
+            Puppet.log_exception(state.error)
+            raise state.error
+          end
+        else
+          # fall through
+        end
       end
     end
 
@@ -332,4 +394,10 @@ class Puppet::SSL::StateMachine
       raise Puppet::Error, _('Another puppet instance is already running; exiting')
     end
   end
+
+  def run_step(state)
+    state.next_state
+  rescue => e
+    state.to_error(e.message, e)
+  end
 end

data/lib/puppet/transaction.rb

@@ -170,16 +170,20 @@ class Puppet::Transaction
     # Generate the relationship graph, set up our generator to use it
     # for eval_generate, then kick off our traversal.
     generator.relationship_graph = relationship_graph
+    progress = 0
     relationship_graph.traverse(:while => continue_while,
                                 :pre_process => pre_process,
                                 :overly_deferred_resource_handler => overly_deferred_resource_handler,
                                 :canceled_resource_handler => canceled_resource_handler,
                                 :graph_cycle_handler => graph_cycle_handler,
                                 :teardown => teardown) do |resource|
+      progress += 1
       if resource.is_a?(Puppet::Type::Component)
         Puppet.warning _("Somehow left a component in the relationship graph")
       else
-        resource.info _("Starting to evaluate the resource") if Puppet[:evaltrace] && @catalog.host_config?
+        if Puppet[:evaltrace] && @catalog.host_config?
+          resource.info _("Starting to evaluate the resource (%{progress} of %{total})") % { progress: progress, total: relationship_graph.size }
+        end
         seconds = thinmark { block.call(resource) }
         resource.info _("Evaluated in %{seconds} seconds") % { seconds: "%0.2f" % seconds } if Puppet[:evaltrace] && @catalog.host_config?
       end

data/lib/puppet/util/pidlock.rb

@@ -62,12 +62,13 @@ class Puppet::Util::Pidlock
     # POSIX and Windows platforms (PUP-9247).
     if Puppet.features.posix?
       procname = Puppet::Util::Execution.execute(["ps", "-p", lock_pid, "-o", "comm="]).strip
-      @lockfile.unlock unless procname =~ /puppet(-.*)?$/
+      args     = Puppet::Util::Execution.execute(["ps", "-p", lock_pid, "-o", "args="]).strip
+      @lockfile.unlock unless procname =~ /ruby/ && args =~ /puppet/ || procname =~ /puppet(-.*)?$/
     elsif Puppet.features.microsoft_windows?
       # On Windows, we're checking if the filesystem path name of the running
       # process is our vendored ruby:
       exe_path = Puppet::Util::Windows::Process::get_process_image_name_by_pid(lock_pid)
-      @lockfile.unlock unless exe_path =~ /Puppet\\puppet\\bin\\ruby.exe/
+      @lockfile.unlock unless exe_path =~ /\\bin\\ruby.exe$/
     end
   end
   private :clear_if_stale

data/lib/puppet/util/windows/process.rb

@@ -122,21 +122,21 @@ module Puppet::Util::Windows::Process
   def get_process_image_name_by_pid(pid)
     image_name = ""
 
-    open_process(PROCESS_QUERY_INFORMATION, false, pid) do |phandle|
+     open_process(PROCESS_QUERY_INFORMATION, false, pid) do |phandle|
 
-      FFI::MemoryPointer.new(:dword, 1) do |exe_name_length_ptr|
-        # Add 1 for the null terminator, and UTF is 2 bytes/char:
-        max_path_length = (MAX_PATH_LENGTH + 1) * 2
-        exe_name_length_ptr.write_dword(max_path_length)
-        FFI::MemoryPointer.new(max_path_length) do |exe_name_ptr|
+       FFI::MemoryPointer.new(:dword, 1) do |exe_name_length_ptr|
+        # UTF is 2 bytes/char:
+        max_chars = MAX_PATH_LENGTH + 1
+        exe_name_length_ptr.write_dword(max_chars)
+        FFI::MemoryPointer.new(:wchar, max_chars) do |exe_name_ptr|
           use_win32_path_format = 0
           result = QueryFullProcessImageNameW(phandle, use_win32_path_format, exe_name_ptr, exe_name_length_ptr)
           if result == FFI::WIN32_FALSE
             raise Puppet::Util::Windows::Error.new(
               "QueryFullProcessImageNameW(phandle, #{use_win32_path_format}, " +
-              "exe_name_ptr, #{max_path_length}")
+              "exe_name_ptr, #{max_chars}")
           end
-          image_name = exe_name_ptr.read_wide_string(MAX_PATH_LENGTH + 1)
+          image_name = exe_name_ptr.read_wide_string(exe_name_length_ptr.read_dword)
         end
       end
     end

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '6.5.0'
+  PUPPETVERSION = '6.6.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/locales/puppet.pot

@@ -6,11 +6,11 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: Puppet automation framework 6.4.2-220-gcca62be\n"
+"Project-Id-Version: Puppet automation framework 6.5.0-67-gdd01573\n"
 "\n"
 "Report-Msgid-Bugs-To: https://tickets.puppetlabs.com\n"
-"POT-Creation-Date: 2019-06-05 21:33+0000\n"
-"PO-Revision-Date: 2019-06-05 21:33+0000\n"
+"POT-Creation-Date: 2019-06-21 03:18+0000\n"
+"PO-Revision-Date: 2019-06-21 03:18+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: \n"
@@ -182,15 +182,19 @@ msgstr ""
 msgid "The puppet agent daemon"
 msgstr ""
 
-#: ../lib/puppet/application/agent.rb:365
-msgid "Fingerprint asked but no certificate nor certificate request have yet been issued"
+#: ../lib/puppet/application/agent.rb:371
+msgid "Fingerprint asked but neither the certificate, nor the certificate request have been issued"
 msgstr ""
 
-#: ../lib/puppet/application/agent.rb:388
+#: ../lib/puppet/application/agent.rb:376
+msgid "Failed to generate fingerprint: %{message}"
+msgstr ""
+
+#: ../lib/puppet/application/agent.rb:399
 msgid "Starting Puppet client version %{version}"
 msgstr ""
 
-#: ../lib/puppet/application/agent.rb:404
+#: ../lib/puppet/application/agent.rb:415
 msgid "The puppet agent command does not take parameters"
 msgstr ""
 
@@ -459,55 +463,55 @@ msgstr ""
 msgid "An action must be specified."
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:123 ../lib/puppet/application/ssl.rb:130
+#: ../lib/puppet/application/ssl.rb:125 ../lib/puppet/application/ssl.rb:132
 msgid "The certificate for '%{name}' has not yet been signed"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:141
+#: ../lib/puppet/application/ssl.rb:143
 msgid "Completed SSL initialization"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:143
+#: ../lib/puppet/application/ssl.rb:145
 msgid "Unknown action '%{action}'"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:151 ../lib/puppet/ssl/state_machine.rb:156
+#: ../lib/puppet/application/ssl.rb:153 ../lib/puppet/ssl/state_machine.rb:166
 msgid "Creating a new EC SSL key for %{name} using curve %{curve}"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:154 ../lib/puppet/ssl/key.rb:24
+#: ../lib/puppet/application/ssl.rb:156 ../lib/puppet/ssl/key.rb:24
 msgid "Creating a new SSL key for %{name}"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:163
+#: ../lib/puppet/application/ssl.rb:165
 msgid "Submitted certificate request for '%{name}' to https://%{server}:%{port}"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:168
+#: ../lib/puppet/application/ssl.rb:170
 msgid "Could not submit certificate request for '%{name}' to https://%{server}:%{port} due to a conflict on the server"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:170 ../lib/puppet/application/ssl.rb:173
+#: ../lib/puppet/application/ssl.rb:172 ../lib/puppet/application/ssl.rb:175
 msgid "Failed to submit certificate request: %{message}"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:179
+#: ../lib/puppet/application/ssl.rb:181
 msgid "Downloading certificate '%{name}' from https://%{server}:%{port}"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:186 ../lib/puppet/application/ssl.rb:194
+#: ../lib/puppet/application/ssl.rb:188 ../lib/puppet/application/ssl.rb:196
 msgid "Downloaded certificate '%{name}' with fingerprint %{fingerprint}"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:202 ../lib/puppet/application/ssl.rb:205
+#: ../lib/puppet/application/ssl.rb:204 ../lib/puppet/application/ssl.rb:207
 msgid "Failed to download certificate: %{message}"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:233 ../lib/puppet/application/ssl.rb:236
+#: ../lib/puppet/application/ssl.rb:235 ../lib/puppet/application/ssl.rb:238
 msgid "Failed to connect to the CA to determine if certificate %{certname} has been cleaned"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:240
+#: ../lib/puppet/application/ssl.rb:242
 msgid ""
 "The certificate %{certname} must be cleaned from the CA first. To fix this,\n"
 "run the following commands on the CA:\n"
@@ -515,7 +519,7 @@ msgid ""
 "  puppet ssl clean\n"
 msgstr ""
 
-#: ../lib/puppet/application/ssl.rb:260
+#: ../lib/puppet/application/ssl.rb:262
 msgid "Removed %{label} %{path}"
 msgstr ""
 
@@ -6659,27 +6663,27 @@ msgstr ""
 msgid "source is defined but does not have trailing slash, ignoring %{source}"
 msgstr ""
 
-#: ../lib/puppet/provider/package/gem.rb:84
+#: ../lib/puppet/provider/package/gem.rb:94
 msgid "Could not list gems: %{detail}"
 msgstr ""
 
-#: ../lib/puppet/provider/package/gem.rb:110
+#: ../lib/puppet/provider/package/gem.rb:120
 msgid "Could not match %{desc}"
 msgstr ""
 
-#: ../lib/puppet/provider/package/gem.rb:158
+#: ../lib/puppet/provider/package/gem.rb:168
 msgid "Invalid source '%{uri}': %{detail}"
 msgstr ""
 
-#: ../lib/puppet/provider/package/gem.rb:169
+#: ../lib/puppet/provider/package/gem.rb:179
 msgid "puppet:// URLs are not supported as gem sources"
 msgstr ""
 
-#: ../lib/puppet/provider/package/gem.rb:185
+#: ../lib/puppet/provider/package/gem.rb:195
 msgid "Could not install: %{output}"
 msgstr ""
 
-#: ../lib/puppet/provider/package/gem.rb:211
+#: ../lib/puppet/provider/package/gem.rb:221
 msgid "Could not uninstall: %{output}"
 msgstr ""
 
@@ -7276,7 +7280,7 @@ msgstr ""
 msgid "Could not find resource %{resource} when converting %{message} resources"
 msgstr ""
 
-#: ../lib/puppet/resource/status.rb:139 ../lib/puppet/transaction.rb:266
+#: ../lib/puppet/resource/status.rb:139 ../lib/puppet/transaction.rb:270
 msgid "Could not evaluate: %{detail}"
 msgstr ""
 
@@ -7776,7 +7780,7 @@ msgid ""
 "%{crl}"
 msgstr ""
 
-#: ../lib/puppet/ssl/host.rb:384 ../lib/puppet/ssl/state_machine.rb:97
+#: ../lib/puppet/ssl/host.rb:384 ../lib/puppet/ssl/state_machine.rb:107
 msgid "Could not download CRLs: %{message}"
 msgstr ""
 
@@ -7892,83 +7896,87 @@ msgstr ""
 msgid "Certificate '%{subject}' failed verification (%{err}): %{err_utf8}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:51
+#: ../lib/puppet/ssl/state_machine.rb:59
 msgid "CA certificate is missing from the server"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:53
+#: ../lib/puppet/ssl/state_machine.rb:61
 msgid "Could not download CA certificate: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:95
+#: ../lib/puppet/ssl/state_machine.rb:105
 msgid "CRL is missing from the server"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:104
+#: ../lib/puppet/ssl/state_machine.rb:114
 msgid "Refreshing CRL"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:110
+#: ../lib/puppet/ssl/state_machine.rb:120
 msgid "CRL is unmodified, using existing CRL"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:112 ../lib/puppet/ssl/state_machine.rb:118
+#: ../lib/puppet/ssl/state_machine.rb:122 ../lib/puppet/ssl/state_machine.rb:128
 msgid "Failed to refresh CRL, using existing CRL: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:142
+#: ../lib/puppet/ssl/state_machine.rb:152
 msgid "Loading/generating private key"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:159
+#: ../lib/puppet/ssl/state_machine.rb:169
 msgid "Creating a new RSA SSL key for %{name}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:189
+#: ../lib/puppet/ssl/state_machine.rb:199
 msgid "Generating and submitting a CSR"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:197
+#: ../lib/puppet/ssl/state_machine.rb:209
 msgid "Failed to submit the CSR, HTTP response was %{code}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:208
+#: ../lib/puppet/ssl/state_machine.rb:218
 msgid "Downloading client certificate"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:224
+#: ../lib/puppet/ssl/state_machine.rb:233
 msgid "Failed to parse certificate: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:228
+#: ../lib/puppet/ssl/state_machine.rb:236
 msgid "Certificate for %{certname} has not been signed yet"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:230
+#: ../lib/puppet/ssl/state_machine.rb:237
+msgid "Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name})."
+msgstr ""
+
+#: ../lib/puppet/ssl/state_machine.rb:240
 msgid "Failed to retrieve certificate for %{certname}: %{message}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:243
-msgid "Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the waitforcert setting is set to 0."
+#: ../lib/puppet/ssl/state_machine.rb:256
+msgid "Exiting now because the waitforcert setting is set to 0."
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:246
+#: ../lib/puppet/ssl/state_machine.rb:259
 msgid "Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded."
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:249
-msgid "Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Will try again in %{time} seconds."
+#: ../lib/puppet/ssl/state_machine.rb:262
+msgid "Will try again in %{time} seconds."
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:300
+#: ../lib/puppet/ssl/state_machine.rb:352
 msgid "Verified client certificate '%{subject}' fingerprint %{digest}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:302
+#: ../lib/puppet/ssl/state_machine.rb:354
 msgid "Verified CA certificate '%{subject}' fingerprint %{digest}"
 msgstr ""
 
-#: ../lib/puppet/ssl/state_machine.rb:332
+#: ../lib/puppet/ssl/state_machine.rb:394
 msgid "Another puppet instance is already running; exiting"
 msgstr ""
 
@@ -8073,36 +8081,36 @@ msgstr ""
 msgid "One or more resource dependency cycles detected in graph"
 msgstr ""
 
-#: ../lib/puppet/transaction.rb:180
+#: ../lib/puppet/transaction.rb:182
 msgid "Somehow left a component in the relationship graph"
 msgstr ""
 
-#: ../lib/puppet/transaction.rb:182
-msgid "Starting to evaluate the resource"
+#: ../lib/puppet/transaction.rb:185
+msgid "Starting to evaluate the resource (%{progress} of %{total})"
 msgstr ""
 
-#: ../lib/puppet/transaction.rb:184
+#: ../lib/puppet/transaction.rb:188
 msgid "Evaluated in %{seconds} seconds"
 msgstr ""
 
-#: ../lib/puppet/transaction.rb:297
+#: ../lib/puppet/transaction.rb:301
 msgid "Dependency %{dep} has failures: %{status}"
 msgstr ""
 
-#: ../lib/puppet/transaction.rb:318
+#: ../lib/puppet/transaction.rb:322
 msgid "Prefetch failed for %{type_name} provider '%{name}'"
 msgstr ""
 
 #. TRANSLATORS `prefetch` is a function name and should not be translated
-#: ../lib/puppet/transaction.rb:363 ../lib/puppet/transaction.rb:366
+#: ../lib/puppet/transaction.rb:367 ../lib/puppet/transaction.rb:370
 msgid "Could not prefetch %{type_name} provider '%{name}': %{detail}"
 msgstr ""
 
-#: ../lib/puppet/transaction.rb:399
+#: ../lib/puppet/transaction.rb:403
 msgid "Skipping because of failed dependencies"
 msgstr ""
 
-#: ../lib/puppet/transaction.rb:404
+#: ../lib/puppet/transaction.rb:408
 msgid "Skipping because provider prefetch failed"
 msgstr ""