openvox 8x: add symlink alternative for certs/ approach

miharp · claude · miharp · commit 964db7ba1ccc · 2026-05-23T07:11:22.000-04:00
Add ln -s as an integration pattern in the Puppet section for nodes
where the CA is already deployed by puppet/trusted_ca into the OS
trust store. Remove symlink from the manual quick fix section — cp
is simpler when deploying the cert fresh.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
Signed-off-by: Michael Harp &lt;mike@mikeharp.com&gt;
diff --git a/docs/_openvox_8x/ssl_custom_ca_proxy.md b/docs/_openvox_8x/ssl_custom_ca_proxy.md
@@ -118,6 +118,23 @@ profile::proxy_ca_cert: |
   -----END CERTIFICATE-----
 ```
 
+If the certificate is already deployed on the node at a known path (for example, by the
+[puppet/trusted_ca](https://forge.puppet.com/modules/puppet/trusted_ca) module into the OS
+trust store), use a symlink instead to avoid keeping a second copy:
+
+```puppet
+file { '/opt/puppetlabs/puppet/ssl/certs/proxy-ca.pem':
+  ensure => link,
+  target => '/etc/pki/ca-trust/source/anchors/proxy-ca.pem',
+  notify => Exec['rehash-puppet-ssl-certs'],
+}
+
+exec { 'rehash-puppet-ssl-certs':
+  command     => '/opt/puppetlabs/puppet/bin/openssl rehash /opt/puppetlabs/puppet/ssl/certs/',
+  refreshonly => true,
+}
+```
+
 
 ## Verifying the configuration
 
