Improve the error message when a CSR is rejected

The behavior without this patch is that a CSR with wildcards (*'s) is
rejected without an indication of the CSR name. In the situation where
a Master is bootstrapping itself, the user may have specified
--dns_alt_names=*,*.* and Puppet will generate a CSR with these
wildcards. It will then refuse to sign the CSR and exit with an
exception. Changing the --dns_alt_names to something acceptable is not
sufficient to get around the issue because the CSR persists.

This patch updates the error messages in two ways. First, we print the
name of the CSR to help the user clean out the bad request. Second, we
indicate the user must clean the CSR in order to progress past the
issue.