Fixes #30368 - Make Candlepin CA file optional

This change makes the Candlepin CA file optional by falling back to the
Foreman CA file. The result is a reduced configuration in most
deployments.

app/lib/katello/resources/candlepin.rb

@@ -11,7 +11,7 @@ class CandlepinResource < HttpResource
         self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
         self.consumer_secret = cfg[:oauth_secret]
         self.consumer_key = cfg[:oauth_key]
-        self.ca_cert_file = cfg[:ca_cert_file]
+        self.ca_cert_file = ::Cert::Certs::candlepin_ca_cert_file
 
         class << self
           def process_response(response)

app/models/katello/ping.rb

@@ -218,7 +218,7 @@ def fetch_proxy(capsule_id)
       end
 
       def backend_status(url, backend)
-        ca_file = SETTINGS[:katello][backend][:ca_cert_file]
+        ca_file = SETTINGS[:katello][backend][:ca_cert_file] || Setting[:ssl_ca_file]
         options = {}
         options[:ssl_ca_file] = ca_file unless ca_file.nil?
         options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl)

app/services/cert/certs.rb

@@ -16,10 +16,17 @@ def self.ssl_client_key
       @ssl_client_key ||= OpenSSL::PKey::RSA.new(File.open(Setting['pulp_client_key'], 'r').read)
     end
 
+    def self.candlepin_ca_cert_file
+      if SETTINGS[:katello][:candlepin]
+        return SETTINGS[:katello][:candlepin][:ca_cert_file] if SETTINGS[:katello][:candlepin][:ca_cert_file]
+      end
+      Setting[:ssl_ca_file]
+    end
+
     def self.verify_ueber_cert(organization)
       ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert])
       cert_store = OpenSSL::X509::Store.new
-      cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file]
+      cert_store.add_file candlepin_ca_cert_file
       organization.regenerate_ueber_cert unless cert_store.verify ueber_cert
     end
   end