Replace embedded chef_client CA Cert with System CA Cert on all VMs

Summary

The Chef client uses a built-in CA Certificate that does not recognize the new Let's Encrypt upstream issuer. This means that when chef-client is run, it will not be able to connect to some third party remote hosts that use these new certificates.

We need to switch chef-client to use a local system CA Certificate that will recognize these new certificates.

Related Incident(s)

Originating issue(s): production#5628 (closed)

Desired Outcome/Acceptance criteria

Chef client should be able to connect to download.postgresql.org without problems and converge successfully.

Ideally this would be:

• A new chef recipe, probably in gitlab-server.
• Have integration tests so we can make sure this works on newer distributions than Ubuntu 16.04.
• Be added to staging first for testing.

Associated Services

• chef

Corrective Action Issue Checklist

• link the incident(s) this corrective action arose out of
• give context for what problem this corrective action is trying to prevent from re-occurring
• assign a severity label (this is the highest sev of related incidents, defaults to 'severity::4')
• assign a priority (this will default to 'priority::4')