LetsEncrypt DNS-01 challenge type not available on omnibus.

Summary

According to https://docs.gitlab.com/omnibus/settings/ssl.html#lets-encrypt-integration, we only support HTTP-01 challenge type, which requires that users open ports 80 and 443 to obtain a certificate. It is often awkward, or against an organization's security practice, to open these ports on machines that would not otherwise receive traffic on ports 80 and 443. Another challenge type, DNS-01 allows users to request certificates by modifying records at the DNS domain level.

https://letsencrypt.org/docs/challenge-types/

Proposal

I propose that we expose LetsEncrypt DNS-01 challenge configuration via the letsencrypt map already being used in configuration file /etc/gitlab/gitlab.rb. This would allow users to set up certificates for GitLab without poking holes in their firewall configuration.

References

This came up in #4871 (comment 303104852).