diff --git a/pkg/server/server.go b/pkg/server/server.go
index 6693e2fd2e..f34e143750 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -520,7 +520,7 @@ func (s *Server) CheckHealth() health.State {
 func (s *Server) tryGetBundle() error {
 	client, err := server_util.NewServerClient(s.config.BindLocalAddress)
 	if err != nil {
-		return errors.New("cannot create registration client")
+		return fmt.Errorf("cannot create registration client: %w", err)
 	}
 	defer client.Release()
 
@@ -531,7 +531,7 @@ func (s *Server) tryGetBundle() error {
 	// As currently coded however, the API isn't served until after
 	// the server CA has been signed by upstream.
 	if _, err := bundleClient.GetBundle(context.Background(), &bundlev1.GetBundleRequest{}); err != nil {
-		return errors.New("unable to fetch bundle")
+		return fmt.Errorf("unable to fetch bundle: %w", err)
 	}
 	return nil
 }
diff --git a/test/integration/setup/node-attestation/client.go b/test/integration/setup/node-attestation/client.go
index 8f113ee4a9..5b8ced7e57 100644
--- a/test/integration/setup/node-attestation/client.go
+++ b/test/integration/setup/node-attestation/client.go
@@ -230,7 +230,7 @@ func doX509popStep(ctx context.Context) error {
 
 	// Ban agent
 	if err := banAgent(ctx, client, svidResp.Id); err != nil {
-		return errors.New("failed to ban agent")
+		return fmt.Errorf("failed to ban agent: %w", err)
 	}
 
 	// Reattest banned agent, it MUST fail