class Puppet::SSL::StateMachine::NeedCACerts

   # File lib/puppet/ssl/state_machine.rb
45 def initialize(machine)
46   super(machine, nil)
47   @ssl_context = @ssl_provider.create_insecure_context
48 end

   # File lib/puppet/ssl/state_machine.rb
50 def next_state
51   Puppet.debug("Loading CA certs")
52 
53   cacerts = @cert_provider.load_cacerts
54   if cacerts
55     next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
56   else
57     route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
58     _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
59     if @machine.ca_fingerprint
60       actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
61       expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
62       if actual_digest == expected_digest
63         Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
64                     { digest_type: @machine.digest, actual_digest: actual_digest })
65       else
66         e = Puppet::Error.new(_("CA bundle with digest (%{digest_type}) %{actual_digest} did not match expected digest %{expected_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest, expected_digest: expected_digest })
67         return Error.new(@machine, e.message, e)
68       end
69     end
70 
71     cacerts = @cert_provider.load_cacerts_from_pem(pem)
72     # verify cacerts before saving
73     next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
74     @cert_provider.save_cacerts(cacerts)
75   end
76 
77   NeedCRLs.new(@machine, next_ctx)
78 rescue OpenSSL::X509::CertificateError => e
79   Error.new(@machine, e.message, e)
80 rescue Puppet::HTTP::ResponseError => e
81   if e.response.code == 404
82     to_error(_('CA certificate is missing from the server'), e)
83   else
84     to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
85   end
86 end