Puppet's HTTP connection code does not allow callers to specify that they want to trust the default set of cacerts. To do so, you need to get access to the Net::HTTP#store and call OpenSSL::X509::Store#set_default_paths, but this is not currently possible.
The PMT works around this by rolling its own Net::HTTP object, leading to duplicate proxy handling logic. It would be nice to DRY this up, but to do so, our HTTP code needs to provide a way for callers to trust the system's cacerts. This would also be useful for providers that need to make network connections, and not rely on open-uri to do so.
|