diff --git a/lib/puppet/ssl/state_machine.rb b/lib/puppet/ssl/state_machine.rb
index 48d514e6801..3bc1fb66f4e 100644
--- a/lib/puppet/ssl/state_machine.rb
+++ b/lib/puppet/ssl/state_machine.rb
@@ -358,7 +358,7 @@ def next_state
         Wait.new(@machine)
       else
         to_error(_("Failed to retrieve certificate for %{certname}: %{message}") %
-                 { certname: Puppet[:certname], message: e.response.message }, e)
+                 { certname: Puppet[:certname], message: e.message }, e)
       end
     end
   end
@@ -391,7 +391,7 @@ def next_state
       end
       Done.new(@machine, @ssl_context)
     rescue => e
-      Puppet.warning(_("Unable to automatically renew certificate: %{message}") % { message: e })
+      Puppet.warning(_("Unable to automatically renew certificate: %{message}") % { message: e.message })
       Done.new(@machine, @ssl_context)
     end
   end
diff --git a/spec/unit/ssl/state_machine_spec.rb b/spec/unit/ssl/state_machine_spec.rb
index 27278e42268..87ff5a416a8 100644
--- a/spec/unit/ssl/state_machine_spec.rb
+++ b/spec/unit/ssl/state_machine_spec.rb
@@ -928,6 +928,14 @@ def write_csr_attributes(data)
         expect(state.next_state).to be_an_instance_of(Puppet::SSL::StateMachine::Wait)
       end
 
+      it 'transitions to Error if the server returns 500' do
+        stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 500)
+
+        st = state.next_state
+        expect(st).to be_an_instance_of(Puppet::SSL::StateMachine::Error)
+        expect(st.message).to match(/Failed to retrieve certificate/)
+      end
+
       it "verifies the server's certificate when getting the client cert" do
         stub_request(:get, %r{puppet-ca/v1/certificate/#{Puppet[:certname]}}).to_return(status: 200, body: client_cert.to_pem)
         allow(cert_provider).to receive(:save_client_cert)