LibGit2: improve error when CA root cert can't be set (#38827)
This also fixes an insecure behavior: even if `set_ssl_cert_locations`
failed, `REFCOUNT` was still incremented, which meant that subsequent
calls to `ensure_initialized` didn't call `initialize` and so there was
never a successful call to `set_ssl_cert_locations`. Without this
libgit2 defaults to not verifying host identities and that is insecure.
To prevent this, this patch locks on `ensure_initialized` and decrements
`REFCOUNT` if initialize throws an error, ensuring that `initialize`
succeeds at least once, including the call to `set_ssl_cert_locations`.
