Offer better errors for certificate validation errors

[djmitche]

The verify_callback callback gets an OpenSSL::SSL::SSLContext for each
certificate in the chain that's verified. If the verification failed,
then SSL provides a nice error to the callback, but that error doesn't
appear in the subsequent OpenSSL::SSL::SSLError.

This patch uses a technique similar to that used for peer_certs to
collect those errors and then add them to the Puppet::Error message
later.

This is my first patch to ruby, and I'm about 45 minutes away from first learning about Mocha, so be kind! But I take review comments well :)

[djmitche]

This should probably be on the 2.7.x branch? It applies cleanly there, anyway.

[zaphod42]

We've added this to our trello board. Hopefully we can get to it this week.

[ahpook]

I think we can eliminate the "this is often..." verbiage on line 100 and therefore simplify out this if statement -- that message was added in an attempt to be helpful, but since we never actually check whether the validity period is the problem, it (according to the support team) causes as much confusion as it solves.

[djmitche]

Sounds good.

[djmitche]

Updated based on the comments above.

[HAIL9000]

@djmitche Could you rebase this off of 2.7.x and retarget it there? That means you'll have to close this pull request and open a new one.

Let me know if you have any questions, thanks for your submission!

[HAIL9000]

@djmitche Also, if you could create a ticket for this issue and sign the CLA that would be awesome!

[djmitche]

I've already signed the CLA. I'll make a ticket and a new pull req. Thanks!