Being able to place the file under /etc/puppetlabs/ssl/cert.pem to be used only if enabled via configuration would avoid the need to guard against it being replaced by a puppet-agent package upgrade in the future.
I've been thinking of something similar, see my comments in https://tickets.puppetlabs.com/browse/PUP-7814?focusedCommentId=675689&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-675689. Basically allow puppet to be configured to trust additional CA cert(s) given a file or directory of certs. When puppet makes connections to non-puppet infrastructure, such as source => "https://artifactory.example.com/...", then puppet would trust the puppet CA, the CA certs contained in the puppet-agent package, and optionally, the cert(s) that the setting referenced. This way people would not need to muck with the ca-bundle in puppet-agent (as those changes are lost when puppet-agent updates). It also means you could point puppet to the CA bundle that is already on your system, like {{ /etc/pki/ca-trust/source/anchors}}. |