Cleanup can fail if puppet, run under sudo, created any temporary files
that the cleanup routine (which doesn't run under sudo) can't
delete. This can happen with the ssl directory, which some versions of
puppet will create when the agent executes.

The manifests have already been applied by the time cleanup happens, so
rejecting the commit at this stage isn't helpful.