(maint) Disable weak DH ciphers in SSL connections

[Iristyle]

• Allowing clients to request dh can yield to errors like

  OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: dh key too small

• By forcing clients to use this mode, servers can't use small keys

• The docker-compose.yml has some outdated notes about how / why to set DNS_ALT_NAMES that no longer apply. The hostname specified by puppetserver is used when initializing the ca and must be the same value other services like puppetdb point to. This is already documented well elsewhere.

  The current setup also triggered a bug introduced in the puppetserver container at puppetlabs/puppetserver#2327 that is fixed in puppetlabs/puppetserver#2338

  DNS_ALT_NAMES set to "puppet," worked previously, but then was accidentally broken during a refactor. The fix is in the "edge" version of the puppetserver container, but hasn't yet reached the "latest" version of the container based on packages.

  The "edge" fix has been vetted against the original compose file, but since this compose file is really misleading anyhow, adjust it.

  • At some point in the future, all of the open source containers will likely use a consistent compose file that's a little different, but this change is useful for now