Fall back to c_rehash if there are multiple TLS certificates

What does this MR do?

The switch to openssl rehash from c_rehash in !8306 (merged) had an unintended breaking change: certificates in /etc/gitlab/trusted-certs are no longer processed if they contain multiple certificates.

To avoid this breaking change, detect the warning and fall back to c_rehash:

rehash: warning: skipping godaddy.crt, it does not contain exactly one certificate or CRL

Related issues

Relates to #9295 (closed)

How to validate locally

1. Drop the following godaddy.cert in /etc/gitlab/trusted-certs/godaddy.crt. godaddy.crt
2. Run gitlab-ctl reconfigure.
3. ls -al /opt/gitlab/embedded/ssl/certs should only contain cacert.pem:

# ls -al /opt/gitlab/embedded/ssl/certs
total 232
drwxr-xr-x 2 root root   4096 Sep  8 20:47 .
drwxr-xr-x 4 root root   4096 Sep  4 05:28 ..
-rw-r--r-- 1 root root    147 Aug 27  2024 README
-rw-r--r-- 1 root root 224369 Sep  4 02:14 cacert.pem

4. Apply this patch and run gitlab-ctl reconfigure.
5. You should see:

Recipe: gitlab::add_trusted_certs
  * directory[/etc/gitlab/trusted-certs] action create (up to date)
  * directory[/opt/gitlab/embedded/ssl/certs] action create (up to date)
  * file[/opt/gitlab/embedded/ssl/certs/README] action create (up to date)
  * ruby_block[Move existing certs and link to /opt/gitlab/embedded/ssl/certs] action run

  * Moving existing certificates found in /opt/gitlab/embedded/ssl/certs

  * Symlinking existing certificates found in /etc/gitlab/trusted-certs

6. Also:

# ls -al /opt/gitlab/embedded/ssl/certs
total 232
drwxr-xr-x 2 root root   4096 Sep  8 20:48 .
drwxr-xr-x 4 root root   4096 Sep  4 05:28 ..
lrwxrwxrwx 1 root root     37 Sep  8 20:48 27eb7704.0 -> /etc/gitlab/trusted-certs/godaddy.crt
lrwxrwxrwx 1 root root     37 Sep  8 20:48 9c8cbefb.0 -> /etc/gitlab/trusted-certs/godaddy.crt
-rw-r--r-- 1 root root    147 Aug 27  2024 README
-rw-r--r-- 1 root root 224369 Sep  4 02:14 cacert.pem

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

• MR title and description are up to date, accurate, and descriptive.
• MR targeting the appropriate branch.
• Latest Merge Result pipeline is green.
• When ready for review, MR is labeled workflowready for review per the Distribution MR workflow.

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

• The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
• If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
• If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
• If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

• Test plan indicating conditions for success has been posted and passes.
• Documentation created/updated.
• Tests added.
• Integration tests added to GitLab QA.
• Equivalent MR/issue for the GitLab Chart opened.
• Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.