diff --git a/cmd/cashier/client_test.go b/cmd/cashier/client_test.go
index 8fe3cd094bdb02cd54cbdbcbd9c0f66ed506f9a0..e03b7122967e2829b9f6f6675f59853d169bff37 100644
--- a/cmd/cashier/client_test.go
+++ b/cmd/cashier/client_test.go
@@ -32,22 +32,22 @@ func TestLoadCert(t *testing.T) {
 	}
 	signer, err := ssh.NewSignerFromKey(key)
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	c.SignCert(rand.Reader, signer)
 	a := agent.NewKeyring()
 	if err := installCert(a, c, key); err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	listedKeys, err := a.List()
 	if err != nil {
-		t.Fatalf("Error reading from agent: %v", err)
+		t.Errorf("Error reading from agent: %v", err)
 	}
 	if len(listedKeys) != 2 {
-		t.Fatalf("Expected 2 keys, got %d", len(listedKeys))
+		t.Errorf("Expected 2 keys, got %d", len(listedKeys))
 	}
 	if !bytes.Equal(listedKeys[0].Marshal(), c.Marshal()) {
-		t.Fatal("Certs not equal")
+		t.Error("Certs not equal")
 	}
 	for _, k := range listedKeys {
 		exp := time.Unix(int64(c.ValidBefore), 0).String()
@@ -71,11 +71,11 @@ func TestSignGood(t *testing.T) {
 	defer ts.Close()
 	_, err := send([]byte(`{}`), "token", ts.URL, true)
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	k, _, _, _, err := ssh.ParseAuthorizedKey(testdata.Pub)
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	c := &config{
 		CA:       ts.URL,
@@ -83,7 +83,7 @@ func TestSignGood(t *testing.T) {
 	}
 	cert, err := sign(k, "token", c)
 	if cert == nil && err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
 
@@ -100,11 +100,11 @@ func TestSignBad(t *testing.T) {
 	defer ts.Close()
 	_, err := send([]byte(`{}`), "token", ts.URL, true)
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	k, _, _, _, err := ssh.ParseAuthorizedKey(testdata.Pub)
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	c := &config{
 		CA:       ts.URL,
@@ -112,6 +112,6 @@ func TestSignBad(t *testing.T) {
 	}
 	cert, err := sign(k, "token", c)
 	if cert != nil && err == nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
diff --git a/server/config/config_test.go b/server/config/config_test.go
index 3a9d4c10c2e99530464d6dc6bd356e7745f050a7..c6bdc3d34aa286c3476fa5a975899eb1a823817e 100644
--- a/server/config/config_test.go
+++ b/server/config/config_test.go
@@ -14,7 +14,7 @@ func TestServerConfig(t *testing.T) {
 	a := assert.New(t)
 	c, err := ReadConfig(bytes.NewBuffer(testdata.ServerConfig))
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	server := c.Server
 	a.IsType(server, &Server{})
@@ -31,7 +31,7 @@ func TestAuthConfig(t *testing.T) {
 	a := assert.New(t)
 	c, err := ReadConfig(bytes.NewBuffer(testdata.AuthConfig))
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	auth := c.Auth
 	a.IsType(auth, &Auth{})
@@ -47,7 +47,7 @@ func TestSSHConfig(t *testing.T) {
 	a := assert.New(t)
 	c, err := ReadConfig(bytes.NewBuffer(testdata.SSHConfig))
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	ssh := c.SSH
 	a.IsType(ssh, &SSH{})
@@ -57,7 +57,7 @@ func TestSSHConfig(t *testing.T) {
 	a.Equal(ssh.MaxAge, "720h")
 	d, err := time.ParseDuration(ssh.MaxAge)
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	a.Equal(d.Hours(), float64(720))
 }
diff --git a/server/signer/signer_test.go b/server/signer/signer_test.go
index 5fbf2c6ae1ee8e5ffe525eadb12a132fc74d8b81..805f0fc2a46e255375d5025e61272307269f9525 100644
--- a/server/signer/signer_test.go
+++ b/server/signer/signer_test.go
@@ -32,24 +32,24 @@ func TestCert(t *testing.T) {
 	}
 	cert, err := signer.SignUserKey(r)
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	if !bytes.Equal(cert.SignatureKey.Marshal(), signer.ca.PublicKey().Marshal()) {
-		t.Fatal("Cert signer and server signer don't match")
+		t.Error("Cert signer and server signer don't match")
 	}
 	var principals []string
 	principals = append(principals, r.Principal)
 	principals = append(principals, signer.principals...)
 	if !reflect.DeepEqual(cert.ValidPrincipals, principals) {
-		t.Fatalf("Expected %s, got %s", cert.ValidPrincipals, principals)
+		t.Errorf("Expected %s, got %s", cert.ValidPrincipals, principals)
 	}
 	k1, _, _, _, err := ssh.ParseAuthorizedKey([]byte(r.Key))
 	k2 := cert.Key
 	if !bytes.Equal(k1.Marshal(), k2.Marshal()) {
-		t.Fatal("Cert key doesn't match public key")
+		t.Error("Cert key doesn't match public key")
 	}
 	if cert.ValidBefore != uint64(r.ValidUntil.Unix()) {
-		t.Fatalf("Invalid validity, expected %d, got %d", r.ValidUntil, cert.ValidBefore)
+		t.Errorf("Invalid validity, expected %d, got %d", r.ValidUntil, cert.ValidBefore)
 	}
 }