Use ssl_trust_store from puppet.conf on Windows

[southalc]

Pull Request (PR) description

The Windows Puppet agent fails to download archive resources due to SSL validation failure when the "source" is using a certificate issued by a private CA. The failure occurs even when the Puppet agent is configured with a custom "ssl_trust_store" that contains the CA chain.

This patch changes the Windows download behavior by defining the following order for the SSL trust store:

1. The "ssl_trust_store" setting from the "agent" section of "puppet.conf"
2. The "SSL_CERT_FILE" value from the runtime environment
3. The module-bundled ".pem" file as a last resort.

This Pull Request (PR) fixes the following issues

Fixes issue reported at: https://tickets.puppetlabs.com/browse/PUP-11349

[southalc]

Checking in on this pull request. I noticed the "needs-tests" label was added, but it doesn't look like the current implementation has any unit tests for SSL connections. This change maintains the current behavior and only enables an override of the default SSL trust file used by the Windows agent. What are we looking for in tests?

[albatrossflavour]

@ghoneycutt - I grok the request for tests, but... we also need to move stuff forward. How about we approve this and we'll work out how to get some time from the Puppet team to work on adding tests?

[kenyon]

@albatrossflavour just to be clear, @voxpupuli modules like this one aren't maintained by @puppetlabs (@perforce). We are all volunteers.

[albatrossflavour]

@kenyon I'm very clear on that, which is why I'm offering some support from my team to help. If we work together, we can get more done and develop the skills of more practitioners (internal and community)

[kenyon]

@albatrossflavour OK, I guess you work for Puppet, which would make more sense, but that wasn't obvious 🙂

[phiggins2]

any chance of this progressing in 2025?

[bastelfreak]

@phiggins2 this has failing tests so we cannot merge it. You can always checkout the branch, fix it, and submit it as a new PR.