It seams that the http.rb plugin uses the same classes to get a HTTP connection puppet usually uses to talk to the master, configured with puppets own cert store.
There may be cases where the https endpoint uses a certificate signed by the puppet CA. However in the case of the Dashboard or similar endpoints it uses a web interface which is usually protected by a cert signed by an official or a company internal CA which is also recognized by the browser.
I copied and renamed the http plugin (I renamed it to https and deliver
it with pluginsync) and simply use the default cert locations, which
lets puppet successfully report over HTTPS now:
PUP-5069 Puppet's HTTP API does not allow callers to trust system cacerts