I am using the gitlab-ce omnibus rpm with SSL certificates issued by an internal CA, and while my system is correctly configured (openssl verify is happy with the certs), I was still getting this error in /var/log/gitlab/mattermost/mattermost.log
[2016/01/05 18:01:07 SAST] [EROR] /login/gitlab/complete:AuthorizeOAuthUser code=500 rid=XXXXX uid= ip=192.168.0.64 Token request failed [details: Post https://gitlab.XXXXXXX/oauth/token: x509: certificate signed by unknown authority]
The omnibus package ships its own openssl libraries, with their own trusted certs in /opt/gitlab/embedded/ssl/certs/cacert.pem
In order to avoid this problem in future, I have symlinked the system CA cert bundle:
ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /opt/gitlab/embedded/ssl/certs/cacert.pem
(On Red Hat-based systems, you should use update-ca-trust to update the CA cert bundle, see 'man update-ca-trust').
Depending on which distributions are supposedly supported with the omnibus RPMs, it might make more sense for it to configure the included openssl to use the OS-provided CA certificate store.