- Private key should have permissions based on Puppet[:hostprivkey]. When running on a puppetserver host, the private key and client cert must be owned by the puppet user so it is readable by puppetserver.
- The state machine should download a missing CA
- If Puppet[:certificate_revocation] = :leaf or :chain, then the state machine should download a missing CRL.
- If Puppet[:certificate_revocation] = false, then the agent should not download or load a CRL. It should successfully connect to the server, even if the server's cert has been revoked.
- Calling Puppet::SSL::Host.localhost should run the client state machine, as there is existing code relying on that behavior: https://github.com/puppetlabs/puppet-agent-bootstrap/blob/master/lib/puppet/face/bootstrap.rb#L50
- The generated CSR should contain custom_attributes and extension_requests if specified in Puppet[:csr_attributes]. The former are only added to the CSR. The latter are added to the CSR and copied to the signed client cert.
- The client state machine should work when autosigning is enabled
- If autosigning is disabled, and the agent should wait for Puppet[:waitforcert] seconds and try again. When the CSR is next signed, the agent should download the cert and finish its run.
- If Puppet[:waitforcert] = 0 or Puppet[:onetime] = true (which occurs when running puppet agent -t), then puppet should exit with an error message Exiting; no certificate found and waitforcert is disabled and exit code 1, like it does today.
- If an agent submits a CSR, but doesn't have a client cert, and you run puppetserver ca clean --certname <agent>, then the next time the agent runs (or wakes up), it should successfully submit the CSR again.
- If an agent has a client cert, but you clean the agent (puppet ssl clean), and run puppet agent -t, then puppet should submit a new CSR, but result in an error that the server's CSR doesn't match the client's. It should be possible to run puppetserver ca clean --certname <agent> on the server, and when the agent next checks it, it should successfully submit the CSR. You shouldn't have to delete any files from the agent.