This fixes #8 and #14 in our setup (Puppet 5.2.0).

Since Ruby 2.4, it is required to pass a 4 byte password,
even if the key has no password at all, otherwise it fatals out.
This leads to ugly workarounds such as these:
https://github.com/github/octocatalog-diff/blob/6093d3c24b0be8045d779b1f6cf2e56367e2e8fb/lib/octocatalog-diff/util/httparty.rb#L127
Since we know these keys always have no password, we can just use 1234.

node_encrypt.rb: Use dummy 4 byte password to read key.

Use pseudo-relative include paths in parser-function and type.

This will do its best to manage the certificate access on Puppet 5.
Unfortunately, it's not reasonably possible to do if the machine is
using legacy auth.conf, and there's not a good way to tell whether that
is the case on OSS. Therefore, we fail out and require the user to
either indicate that they're using HOCON, or to not manage the
whitelist. We fail by default because requiring a minor change in
classification is better than a false sense of security.

Tangent: since they're public certificates, I'm not even convinced that
it's worth trying to protect them. Perhaps it's time to just drop the
whitelist idea completely?

Fixes #18

Add Puppet 5 support to the certificates class

Fixes #11

* Prompt for a value by using --prompt
* Read from piped stdin

Fixes #10