Unable to log in via GitLab OAuth

Created by: plinss

• Sourcegraph version: 3.20.1
• Platform information: CentOS 7.8.2003, Docker V19.03.8

Steps to reproduce:

1. Connect Sourcegraph to on-premise GitLab via instructions at: https://docs.sourcegraph.com/admin/auth#gitlab
2. Attempt to login to Sourcegraph via GitLab

Note that the GitLab instance is using an https certificate signed by an internal CA. Sourcegraph site config contains:

...
"auth.providers": [
    {
        "type": "builtin",
        "allowSignup": false
    },
    {
        "type": "gitlab",
        "displayName": "GitLab",
        "url": "https://gitlab.<our-domain>",
        "clientID": "<gitlab OAuth ID>",
        "clientSecret": "<gitlab OAuth secret>"
    }
],
...
experimentalFeatures: {
    "tls.external": {
        "certificates": ["<internal CA root certificate pem data>"]
    }
}

Expected behavior:

Successful login.

Actual behavior:

After redirecting to GitLab (and successfully logging in if necessary), Sourcegraph responds with "github: unable to get GitLab user".

GitLab logs appear to show successful login and OAuth response.