Puppet – invalid SSL when using the forge for modules

When trying to upgrade an official module, puppet complains that it can’t find it on the forge. It might actually be that it doesn’t recognize the SSL certificate as being valid. When trying to install a module from forge.puppetlabs.com, it returns the proper error, complaining that the certificate is invalid:

# puppet module install puppetlabs/ntp
Notice: Preparing to install into /usr/local/etc/puppet/modules ...
Notice: Downloading from https://forge.puppetlabs.com ...
Error: Could not connect via HTTPS to https://forge.puppetlabs.com
  Unable to verify the SSL certificate
    The certificate may not be signed by a valid CA
    The CA bundle included with OpenSSL may not be valid or up to date

Apparently https is a jerk, so, other than the obvious, a solution is to use http instead of https for the repository:

# puppet module install puppetlabs/ntp --module_repository=http://forge.puppetlabs.com

On FreeBSD it might be that /etc/ssl/cert.pem isn’t symlinked to /usr/local/share/certs/ca-root-nss.crt, where the ca_root_nss package installs.