As described in
https://community.letsencrypt.org/t/production-chain-changes/150739, the
LetsEncrypt DST Root CA X3 expired on September 30, 2021. Domains that
needed to be renewed via PagesDomainSslWorker would fail with the error,
"Certificate misses intermediates".

Newly-issued certificates would come with this chain of trust:

End-entity certificate (A) ← R3 (B) ← ISRG Root X1 (C) ← DST Root CA X3

Previously, this is what was happening:

1. LetsEncrypt returned a bundle containing A, B, and C.
2. `PagesDomain#has_intermediates?` took B and C and added them to the
OpenSSL certificate store.
3. `OpenSSL::X509::Store#verify` returned `false` because C was a
trusted certificate, but DST Root CA X3 had expired.

The crux of the problem is that we aren't using `verify` properly: we
should be passing in an untrusted chain and allow OpenSSL to verify that
C is indeed trusted from the system store. This emulates the behavior of
the `-untrusted` parameter in the `openssl` command-line:

```
All certificates (typically of intermediate CAs) are considered
untrusted and may be used to construct a certificate chain from the
target certificate to a trust anchor.
```

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/342326

Changelog: fixed

Avoid cross-joins in `PipelinesForMergeRequestFinder`

See merge request gitlab-org/gitlab!68549

Adds support for tertiary buttons inside of the widget extension

See merge request gitlab-org/gitlab!71097

Added guidance for and so on

See merge request gitlab-org/gitlab!71766

Add sentry error handling to the job actions component

See merge request gitlab-org/gitlab!71780

Simplify SubscriptionsHelper API

See merge request gitlab-org/gitlab!71703

Prevent push_package event if Maven package file creation fails

See merge request gitlab-org/gitlab!71618

Add user to Snowplow event

See merge request gitlab-org/gitlab!71353

For more detailed analysis we need to track user id.
As described at
https://gitlab.com/gitlab-org/gitlab/-/issues/336779#considered-data-for-pseudonymization
user_id should be pseudoanonymized. user_id emitting is disabled by
default by a feature flag.

E2E: Reduce log verbosity of every api request

See merge request gitlab-org/gitlab!71795

Update Application Setting API doc to include suggest_pipeline_enabled

See merge request gitlab-org/gitlab!71702

Merge methods into one

Improve UX for addons purchase

See merge request gitlab-org/gitlab!71582

Improve addons purchase UX

Changelog: fixed
EE: true

Add docs for new registration features

See merge request gitlab-org/gitlab!71632

Use allowlist of allowed attributes for imported models (part 2)

See merge request gitlab-org/gitlab!71046

Remove cluster applications usage data

See merge request gitlab-org/gitlab!70341

Update Gitaly version

See merge request gitlab-org/gitlab!71812

Update metadata on DORA pages

See merge request gitlab-org/gitlab!71708

Remove whitespace in sidebar when iterations disabled

See merge request gitlab-org/gitlab!70754

Move on-demand scans JavaScript assets

See merge request gitlab-org/gitlab!71727

Render gitaly-unavailable error for Tags page

See merge request gitlab-org/gitlab!71078

Update GitLab UI/SVG

See merge request gitlab-org/gitlab!71751

Remove v-html from repository preview

See merge request gitlab-org/gitlab!70833

Fix broken FF rollout issue

See merge request gitlab-org/gitlab!71254

Specify overriding for EE::Project#execute_hooks

See merge request gitlab-org/gitlab!71759

E2E: validate project migration for Gitlab migration functionality

See merge request gitlab-org/gitlab!71637