External account registration fails with 500 (Recaptcha::RecaptchaError in production.log)

Summary

New users signing up for external accounts with our GitLab CE instance occasionally receive an error 500.

GitLab CE version 10.4.6

/var/log/gitlab/gitlab-rails/production.log shows:

Started GET "/users/username/exists" for [redacted] at 2018-04-27 12:16:01 -0500
Processing by UsersController#exists as JSON
  Parameters: {"username"=>"username"}
Completed 200 OK in 6ms (Views: 0.2ms | ActiveRecord: 0.5ms)
Completed 200 OK in 2363ms (Views: 2135.6ms | ActiveRecord: 19.2ms)
Started POST "/users" for [redacted] at 2018-04-27 12:16:16 -0500
Processing by RegistrationsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "new_user"=>{"name"=>"user name", "username"=>"username", "email"=>"username@domain.com", "email_confirmation"=>"username@domain.com", "password"=>"[FILTERED]"}, "g-recaptcha-response"=>""}
Completed 200 OK in 234ms (Views: 162.6ms | ActiveRecord: 0.0ms)
Started POST "/users" for [redacted] at 2018-04-27 12:16:29 -0500
Processing by RegistrationsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "new_user"=>{"name"=>"user name", "username"=>"username", "email"=>"username@domain.com", "email_confirmation"=>"username@domain.com", "password"=>"[FILTERED]"}, "g-recaptcha-response"=>"03AJpayVFr25IxViW3 ... redacted token data ... 372q6cia3R_4c1usym_Y"}
Completed 500 Internal Server Error in 339ms (ActiveRecord: 0.0ms)

Recaptcha::RecaptchaError (SSL_connect returned=1 errno=0 state=error: certificate verify failed):
  app/controllers/registrations_controller.rb:16:in `create'
  lib/gitlab/i18n.rb:47:in `with_locale'
  lib/gitlab/i18n.rb:53:in `with_user_locale'
  app/controllers/application_controller.rb:324:in `set_locale'
  lib/gitlab/middleware/multipart.rb:93:in `call'
  lib/gitlab/request_profiler/middleware.rb:14:in `call'
  lib/gitlab/middleware/go.rb:18:in `call'
  lib/gitlab/etag_caching/middleware.rb:11:in `call'
  lib/gitlab/middleware/read_only.rb:31:in `call'
  lib/gitlab/request_context.rb:18:in `call'
  lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'

This issue has been on-going for a while, and has survived at least minor release (10.3 -> 10.4) of gitlab-ce

Steps to reproduce

  1. Browse to https://domain.com/users/sign_in
  2. Select the 'Register' tab
  3. Fill in fields
  4. Complete reCAPTCHA challenge
  5. Click "Register" button

What is the current bug behavior?

No account is created, user is left with an error 500 page, and subsequent attempts to re-use the email address originally provided occasionally result in 'email address already in use' flavor error message.

What is the expected correct behavior?

User should successfully create an account.