LDAP `ca_file` setting breaks all other SSL certificate verification
Zendesk: https://gitlab.zendesk.com/agent/tickets/84475
When an LDAP ca_file is specified and LDAP group sync is used, all other GitLab outbound SSL verification breaks as if the ca_file option remove all other CA certs. It's interesting that this is specific to group sync.
In my test environment I ran some tests in the Rails console. I opened connections and searched LDAP using the regular LDAP adapter, using the LDAP sync proxy, etc. and nothing broke. I even executed the LdapGroupSyncWorker in the foreground and it doesn't break. The only thing that breaks is running a sync from Sidekiq. What about Sidekiq causes this problem?
Once broken, outbound connections such as web hooks, project services, etc., all fail with
WARN: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
2017-11-09_18:49:15.01497 2017-11-09T18:49:15.010Z 3489 TID-ow53ylrek WARN: /opt/gitlab/embedded/lib/ruby/2.3.0/net/protocol.rb:44:in `connect_nonblock'
2017-11-09_18:49:15.01497 /opt/gitlab/embedded/lib/ruby/2.3.0/net/protocol.rb:44:in `ssl_socket_connect'
2017-11-09_18:49:15.01498 /opt/gitlab/embedded/lib/ruby/2.3.0/net/http.rb:928:in `connect'
2017-11-09_18:49:15.01498 /opt/gitlab/embedded/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
2017-11-09_18:49:15.01498 /opt/gitlab/embedded/lib/ruby/2.3.0/net/http.rb:852:in `start'
2017-11-09_18:49:15.01498 /opt/gitlab/embedded/lib/ruby/2.3.0/net/http.rb:1384:in `request'