Allow cert_file to download certificates via https

[rtib]

Pull Request (PR) description

Accept server certificates signed by trusted third-parties when receiving remote certificates via https.

This Pull Request (PR) fixes the following issues

When getting a remote certificate via https, by default the http client trusts the PuppetCA only, thus downloading files from a server using certificates signed by a third-party would fail. This patch allows the Puppet HTTP client to trust a server using a certificate signed by any CA trusted by the system.

[smortex]

This usage of include_system_store is quite recent, we should update the required version of Puppet accordingly in metadata.json. Available in 6.27.0+ and 7.16.0+. I think we can only set a single lower bound unfortunately.

[rtib]

Yeah, I've also thought about that, but I assume Puppet::HTTP::Client to ignore options which are not supported, thus the behaviour of earlier agent versions might not change. IMO, this is the alternative causing the least pain at all.

I was considering two alternatives to this:

1. instead of include_system_store we could add ssl_context: { verify_peer: false }
2. we could implement a version switch that adds one of the above options depending on the current agent version

I'm not very happy with those approaches and like the idea of getting this feature only on recent agents and ignored by older ones.

[smortex]

I'm not very happy with those approaches and like the idea of getting this feature only on recent agents and ignored by older ones.

Yeah, the alternatives suck. If it works well with older versions of Puppet this is probably fine, only improving the situation for newer Puppet.