Expired SSL certificate

[John Emmas]

Admittedly I'm on a slightly old version of TortoiseGit (2.06) but all of a sudden, whenever I try to pull from any repo hosted at GitLab, TortoseGit fails with a message something like this:-

    Fetching origin

   fatal: unable to access 'https://gitlab.gnome.org/GNOME/gtkmm/': SSL certificate problem: certificate has expired

Up to now I've only ever seen it with GitLab and only with those GNOME repos - so I'm a bit confused about whether it's a problem with GitLab? Or with TortoiseGit? Or with the individual repos? GitLab seems to think it's somebody else's problem. So would TortoiseGit have an SSL certificate that might be out of date now?

[Sven Strickroth]

Hi,

you are using a very old version of TortoiseGit and supposedly also of
Git for Windows.

The Gnome project uses Let's Encrypt certificates. Recently, the "old"
root certificate of Let's Encrypt expired. Now all software needs
support for their new root certificate.

So I suppose the solution would be to manually add the ISRG root
certificate (<https://letsencrypt.org/de/certificates/>) to your Git
certificate store (e.g., <https://stackoverflow.com/a/26128676/3906760>)
or just update Git for Windows (and TortoiseGit).

--
Best regards,
Sven Strickroth
PGP key id F5A9D4C4 @ any key-server

[John Emmas]

On 13/10/2021 12:43, Sven Strickroth wrote:
>
> So I suppose the solution would be to manually add the ISRG root
> certificate (<https://letsencrypt.org/de/certificates/>) to your Git
> certificate store (e.g.,
> <https://stackoverflow.com/a/26128676/3906760>) or just update Git for
> Windows (and TortoiseGit).
>

Thanks Sven,

I just tried manually adding the ISRG root certificate but it hasn't
worked.  I'll check again, in case I didn't follow the instructions
properly...

Updating TortoiseGit is something I've tended to avoid. In the past I've
found that if I push something to my repo using a particular version of
TortoiseGit - let's say 2.06 - somebody on an earlier version of
TortoiseGit can pull it okay but they lose the ability to push to the
repo until they also update. Is that intentional?  It's always deterred
me from updating TortoiseGit too often.

John

[Sven Strickroth]

Am 13.10.2021 um 15:22 schrieb John Emmas:
> Updating TortoiseGit is something I've tended to avoid. In the past I've
> found that if I push something to my repo using a particular version of
> TortoiseGit - let's say 2.06 - somebody on an earlier version of
> TortoiseGit can pull it okay but they lose the ability to push to the
> repo until they also update. Is that intentional?  It's always deterred
> me from updating TortoiseGit too often.

No, this is nothing that should happen.

[John Emmas]

On 13/10/2021 14:22, John Emmas wrote:
>
> Thanks Sven,
>
> I just tried manually adding the ISRG root certificate but it hasn't
> worked.  I'll check again, in case I didn't follow the instructions
> properly...
>

Now that I've woken up a bit brighter I've checked my procedure from
yesterday and it looks like I did the right things. I created my own
certificate file called "JE-SSL-certificate-trial.crt" and then ran this
command:-

    git config --global http.sslCAinfo JE-SSL-certificate-trial.crt

which is supposed to configure something somehow.  However, I've noticed
that TortoiseGit's error message has changed slightly.  It now tells me:-

    fatal: unable to access 'https://gitlab.gnome.org/GNOME/gtkmm/':

    error setting certificate verify locations:
    CAfile: JE-SSL-certificate-trial.crt
    CApath: none

I tried again (this time giving the full path to
JE-SSL-certificate-trial.crt) but essentially it gave me the same
error.  So I guess my best option might to uninstall TortoiseGit and
MsysGit and just install the latest versions. Two questions though...

1) Will I need to undo "git config --global http.sslCAinfo" somehow,
before uninstalling?

2) Why would the SSL certificate be relevant when all I want to do is
clone a repo or pull from one?  I can understand why a certificate might
be needed for pushing to a repo but it seems a bit overkill just for
pulling.

John

[John Emmas]

On 14/10/2021 09:22, John Emmas wrote:

Will I need to undo "git config --global http.sslCAinfo" somehow, before uninstalling?

I realised later that an empty string seems to do the trick - i.e.

    git config --global http.sslCAinfo ""

and I also found an alternative set of instructions for updating my SSL certificate:-

Fix Git Self Signed Certificate in Certificate Chain on Windows | Matt Ferderer

They're essentially the same except with a slightly different procedure for obtaining the new certificate.  Unfortunately though... it didn't work either :-(

So I guess at the weekend I'll back everything up and then update TortoiseGit.  Does the stable version also update MsysGit or does that need to be done separately?  And (if so) which version of MsysGit would I need for T/git ver 2.12.0?

Thanks, John

[John Emmas]

On 15/10/2021 14:46, John Emmas wrote:
>
> at the weekend I'll back everything up and then update TortoiseGit. 
> Does the stable version also update MsysGit or does that need to be
> done separately?
>

I just updated TortoiseGit to ver 2.12.0.0 but AFAICT it didn't update
MsysGit - and even worse, it didn't fix the problem about the expired
SSL certificate.  So I guess this is either an outdated MsysGit or some
problem with GitLab.  Which version of MsysGit would I need for
TortoiseGit v1.12.0.0?  Thanks,

John

[John Emmas]

On 17/10/2021 11:07, John Emmas wrote:
>
> Which version of MsysGit would I need for TortoiseGit v1.12.0.0?
>

I ended up ditching MsysGit and I installed Git for Windows v2.33.1
which was ludicrously difficult (there must've been over 20 pages of
install options to choose from!!)

But the upside is that I'm no longer seeing the messages about an
expired SSL certificate!!

John