(PUP-11522) Warn if client cert or private key is missing

Warn if the caller specifies `include_client_cert: true` to
`Puppet::HTTP::Client#get`, but one or both of the files are missing. If the
files are invalid, e.g. mismatched key & cert, then fail the request.

Author: joshcooper

lib/puppet/ssl/ssl_provider.rb

@@ -77,7 +77,14 @@ def create_system_context(cacerts:, path: Puppet[:ssl_trust_store], include_clie
     if include_client_cert
       cert_provider = Puppet::X509::CertProvider.new
       private_key = cert_provider.load_private_key(Puppet[:certname], required: false)
+      unless private_key
+        Puppet.warning("Private key for '#{Puppet[:certname]}' does not exist")
+      end
+
       client_cert = cert_provider.load_client_cert(Puppet[:certname], required: false)
+      unless client_cert
+        Puppet.warning("Client certificate for '#{Puppet[:certname]}' does not exist")
+      end
 
       if private_key && client_cert
         client_chain = resolve_client_chain(store, client_cert, private_key)

spec/unit/ssl/ssl_provider_spec.rb

@@ -159,6 +159,22 @@
       expect(sslctx.private_key).to be_nil
     end
 
+    it 'warns if the client cert does not exist' do
+      Puppet[:certname] = 'missingcert'
+      Puppet[:hostprivkey] = fixtures('ssl/signed-key.pem')
+
+      expect(Puppet).to receive(:warning).with("Client certificate for 'missingcert' does not exist")
+      subject.create_system_context(cacerts: [], include_client_cert: true)
+    end
+
+    it 'warns if the private key does not exist' do
+      Puppet[:certname] = 'missingkey'
+      Puppet[:hostcert] = fixtures('ssl/signed.pem')
+
+      expect(Puppet).to receive(:warning).with("Private key for 'missingkey' does not exist")
+      subject.create_system_context(cacerts: [], include_client_cert: true)
+    end
+
     it 'raises if client cert and private key are mismatched' do
       Puppet[:hostcert] = fixtures('ssl/signed.pem')
       Puppet[:hostprivkey] = fixtures('ssl/127.0.0.1-key.pem')