Unable to access gitlab: SSL certificate has expired

Question

In Visual Studio I'm trying to pull some changes from the repository on GitLab, but it gives me an error:

Git failed with a fatal error.
unable to access https://gitlab...git/: SSL certificate problem: certificate has expired*

How can I generate a new certificate and add it to VS? I don't have any experience with GitLab.

The certificate has to be created for the gitlab server. This is not a thing you do in VS. Thus, contact whoever maintains the gitlab server and ask them to fix this server side problem which likely affects other users too. But make sure that the problem is actually caused by an expired certificate and not that the clock on your local machine is simply wrong. — Steffen Ullrich, Feb 02 '20 at 10:14
I have acces to the repository and I think I can generate it. But don't know how, and how then add it to VS — Amazing User, Feb 02 '20 at 10:31
The certificate is not specific to the repository but to the server, i.e. access to the repo is not sufficient to create a new certificate for the server. — Steffen Ullrich, Feb 02 '20 at 10:36

score 47 · Answer 1 · edited Feb 08 '22 at 06:21

47

There's a quick fix you can run in the command line:

git config --global http.sslVerify "false"

The solution was found in the following article.

edited Feb 08 '22 at 06:21

jdhao

24,001
18
134
273

answered Sep 30 '21 at 20:06

Xab Ion

1,105
1
11
20

19

This solution is irresponsible because it disables all security and puts you and all users of your software at risk. – Matt Mar 14 '22 at 05:41
4

DO NOT USE THIS - it puts you at a security risk. Read other answers instead and update your Git. – Eugene Pankov Apr 11 '23 at 07:45
Just balancing out the comments above. This workaround does not disable "all security". It simply means that until reset to "true", you are able to pull from a repo host that has not been maintained correctly and that you should use common sense and ensure that the updates pulled correspond to what would be expected. There are lots of valid SSL certs on repos with very bad code. Simply having a valid SSL cert has nothing to do with the quality or safety of the code you pull. – Eric K Jun 29 '23 at 18:28

delta711 · Answer 2 · 2021-10-02T02:05:54.033

Git error in Visual Studio:

PM> git pull
git: fatal: unable to access '**path**/**myrepo**.git': SSL certificate problem: certificate has expired

The cause in my case:
On 9/30/2021, a root certificate expired.
Let's Encrypt - "IdentTrust DST Root CA X3" certificate
https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

Solution:
Update Git for Windows to latest version:

Open Git CMD
On the command line, type:
git update-git-for-windows

Or, install the latest version of Git for Windows from: https://git-scm.com/download/win

This solution has worked for several folks I know. However, if you are still experiencing problems, then see also: Git for windows: SSL certificate problem: certificate has expired

Also, here is a good thread relating to this topic:
https://github.com/git-for-windows/git/issues/3450

This worked for VSCode for me - Had to install latest version of Git for Windows and restart VSCode — Rob Schmuecker, Aug 19 '23 at 10:19

VonC · Accepted Answer · 2022-03-14T07:15:26.743

7

Visual Studio should be using Git for Windows.

If you can export the certificate chain of your private GitLab server, you can add it to the ca-bundle.crt file in your git folder, in C:\path\to\Git\\usr\ssl\certs.

Update Sept. 2021: Let's Encrypt cross-signed DST Root CA X3 expired a few days ago: see here for more.

March 2022: as Mohammed S. Al Sahaf noted on Twitter, the top upvoted answer (git config --global http.sslVerify "false") is rarely, if ever, a good option.

Git (technically OpenSSL) is confused because Let's Encrypt old root is expired (See: "Let's Encrypt's Root Certificate is expiring!" from Scott Helme, founded @securityheaders/@reporturi, Pluralsight author).

That is not a good excuse to disable the validation!

On Windows, only clients with OpenSSL <= 1.0.2 or Windows < XP SP3 would only trust the IdenTrust DST Root CA X3 certificate.

See also "Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2" from Tomáš Mráz (t8m).

For private instances of GitLab, integrated with Let's encrypt, the expiration of Let's Encrypt certificate can matter.

In any case, do not remove http.sslVerify.
Add the right certificate to your trust store (after double-checking its validity/origin).

edited Mar 14 '22 at 07:15

answered Feb 02 '20 at 10:35

VonC

1,262,500
529
4,410
5,250

In cmd I generated key with command `ssh-keygen -t rsa -C "email@email.com"`. Then I copied content of file `C:\Users\dmitr\.ssh\id_rsa.pub` into gitlab's user settings, added title of the key and pressed add button. Should I do anything else? Now it still don't work – Amazing User Feb 02 '20 at 11:06
2

@DimaKozyr ssh-keygen has nothing to do with ssl certificates (https://community.letsencrypt.org/t/confusion-about-tls-based-protocols-and-certificates-and-ssh-keys-and-host-keys/34731). You need to export the certificate chain from your browser (https://help.duo.com/s/article/2222?language=en_US) – VonC Feb 02 '20 at 11:28
@VonC While technically true that ssh has nothing to do with ssl certificates, cloning the repository using ssh bypasses the http protocol entirely, thus also fixing the issue. – James Wright Oct 04 '21 at 17:49
1

@JamesWright I agree. SSH is however not in the scope for this question, and the current (Sept/Oct. 2021) SSL issues are most likely related to Let's Encrypt: https://stackoverflow.com/q/69387175/6309, whose cross-signed DST Root CA X3 expired a few days ago. – VonC Oct 04 '21 at 19:53

score 5 · Answer 4 · answered Oct 04 '21 at 09:20

5

After updating the git version on the client side, it working fine.

Step 1: Check the version of the git

    > git version

Step 2: Update git on the client system

    > git update
    
    > git version

answered Oct 04 '21 at 09:20

Satish.Wagh

49
1
4

1

This solved my problem, thanks. – Levent Divilioglu Oct 12 '21 at 18:19

score 2 · Answer 5 · answered Jan 23 '21 at 12:58

2

I had this problem and my solution was to update the date and time.

answered Jan 23 '21 at 12:58

Otman Abid Almerabetine

41
1

this was. really my problem, thanks for pointing out. +1 from me(which reduces to -1 ur points :D) – rpajaziti Mar 24 '21 at 12:55

score 2 · Answer 6 · answered Sep 30 '21 at 22:33

2

this was helpfull for me. open terminal:

git config http.sslVerify false

answered Sep 30 '21 at 22:33

Vladyslav Ulianytskyi

1,401
22
22

score -2 · Answer 7 · answered Nov 02 '20 at 14:29

I got the problem when I tried to check out the latest updates from gitlab, error message: SSL certificate problem: self signed certificate in certificate chain. This means your gitlb certificate has expired, you need to put the latest cert into the end of current cert.

Go to the https://gitlab....... by Chrome
look at the lock icon before the url, click this icon
see Certificate, and check it's valid (you need this)
click Details, then copy to File
click Next and select "Base-64 encoded)
Save you cert file to some file (e.g. file_1.cert)
Open with Notpad++, then copy all, paste it to end end of your current cert file used by Gitlab
Check out the Gitlab again, it should be OK now

score -2 · Answer 8 · answered Mar 21 '22 at 17:18

Do not use git config --global http.sslVerify "false"

@VonC While technically true that ssh has nothing to do with ssl certificates, cloning the repository using ssh bypasses the http protocol entirely, thus also fixing the issue. – James Wright Oct 4, 2021 at 17:49

Thanks, This works for me.

I originally cloned my repository via https://gitlab.com/repo.git which eventually resulted in the error: fatal: unable to access 'https://gitlab.com/repo.git/': SSL certificate problem: certificate has expired

To fix just clone the project again with SSH.

$ git clone git@gitlab.com:caring/repo.git

Avoid using

$ git clone https://gitlab.com/repo.git

Unable to access gitlab: SSL certificate has expired

8 Answers8

Linked