Use custom Puppet fileserver mount points for auto-ca and LE certs

Currently we have two different patterns for sourcing auto-ca and Let's encrypt TLS material:

• auto-ca: uses a symlink at modules/ssl/files pointing to /var/lib/puppet/auto-ca (this is new, before today auto-ca was just dumping its files into the environment, directly)

• Let's Encrypt: uses a special ERB template which sources the actual certificate content from another path on the filesystem using a plain Ruby File.read() call

Both methods, apart from being different ways of doing the same thing, add a fair amount of indirection to an already complex and sometimes confusing system.

We should look into making this simpler but configuring a custom Puppet Server mountpoint to allow clients to retrieve the required TLS material directly without relying on special snowflake symlinks and templates.

added Icebox Puppet labels

mentioned in commit wiki-replica@1e3cd286

added Technical Debt label

Just making a note here that we'll want to take care to avoid granting all nodes access to all certificates, so we should be careful to configure adequate authentication rules in auth.conf.

marked this issue as related to #41610