I don’t have any repos on GitLab although I use some libraries hosted there (notably Gtk/Gtkmm etc)
All of a sudden, whenever I try to pull from any repo hosted at GitLab, TortoseGit fails with a message something like this:-
Fetching origin
fatal: unable to access 'https://gitlab.gnome.org/GNOME/gtkmm/': SSL certificate problem: certificate has expired
Is that a problem with GitLab? Or with TortoiseGit? Or with the individual repos?
Hi,
please notify the GNOME infrastructure admins who operate gitlab.gnome.org . It seems this was just a short hickup though, I can access it ok.
openssl s_client -connect gitlab.gnome.org:443
CONNECTED(00000005)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
0 s:/CN=*.gnome.org
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Cheers,
Michael
Thanks Michael - it’s still happening here but since my original post I’ve found another library (called Pixman). AFAIK it isn’t part of Gnome but it’s also hosted at GitLab - and Pixman is giving me the same error.
Is there some other mirror (or protocol) that I could try? Maybe one which doesn’t need SSL? I never need to push anything upstream to Git:ab. I only ever fetch stuff.
If you see the same happening on other hosts, and we are not, it probably is a client problem. You mentioned TortoiseGit, maybe it is too old, or ships its own version of openssl which is outdated.
Can you try upgrading TortoiseGit to see if that changes your problem?
Cheers,
Michael
Yes you could be right. TortoiseGit here is about 3 years old. I’ve traditionally been reluctant to update TortoiseGit because if it causes problems, it usually isn’t possible to get back to a working version 
I’ve a recollection that for GitHub I use something called SSH which required me to register something called a putty key. And (I think) that then avoids SSL. Is that also supported by GitLab? I’ve an account here at the GitLab forum but AFAIK I haven’t any account for GitLab itself.
@johne53 yes you can add an SSH key to your profile and then clone/push via this. I’m with Michael on this, I have similar problems trying to push to my own Gitlab which is using LetsEncrypt and I see the similarities from the post from Michael in that it is also LetsEncrypt. I can push from console with git push but Atom doesn’t let me do it because of a SSL problem (it has it’s own included CA cert which is from 2019). I expect you have similar in TortoiseGit that is using old local CA certificate which doesn’t have the new LetsEncrypt CA cert in it. I’m waiting for an update to appear from Atom on this, but you may want to download and install/upgrade to the latest TortoiseGit and this will most likely fix it.
Thanks @iwalker
So if I added an SSH key, would that get me around the problem or does SSH still need SSL certificates? I’m happy to update TortoiseGit but like I said, that in itself can be very problematic. I’d prefer to try other options first.
Yes, you only just need to change clone method from http/https to ssh and use git@gitlab.com or your server name here if running your own instance. The docs show how to verify that the SSH key has been added to your user account, and a bit lower gives the commands for cloning: GitLab and SSH keys | GitLab