25

In Visual Studio, I'm trying to pull some changes from the repository on GitLab, but it gives me an error:

Git failed with a fatal error.
unable to access https://gitlab...git/: SSL certificate problem: certificate has expired*

How can I generate a new certificate and add it to VS? I don't have any experience with GitLab.

Improve this question
3
  • 2
    The certificate has to be created for the gitlab server. This is not a thing you do in VS. Thus, contact whoever maintains the gitlab server and ask them to fix this server side problem which likely affects other users too. But make sure that the problem is actually caused by an expired certificate and not that the clock on your local machine is simply wrong. Commented Feb 2, 2020 at 10:14
  • I have acces to the repository and I think I can generate it. But don't know how, and how then add it to VS Commented Feb 2, 2020 at 10:31
  • The certificate is not specific to the repository but to the server, i.e. access to the repo is not sufficient to create a new certificate for the server. Commented Feb 2, 2020 at 10:36

8 Answers 8

Reset to default
51

There's a quick fix you can run in the command line:

git config --global http.sslVerify "false"

The solution was found in the following article.

Updated:

While the original solution provided a quick workaround, it's essential to emphasize the security implications and responsible usage due to the concerns raised in the comments.

Warning: The below quick fix can expose you to security risks by disabling SSL verification:

git config --global http.sslVerify "false"

Use this solution with utmost caution and strictly for troubleshooting purposes.

A Safer Alternative:

  1. Update Git: Ensure you are using the latest version of Git which might have improved handling of SSL and certificate issues.

For Windows

download and install from the official website

For macOS (using Homebrew):

brew upgrade git

For Debian-based Linux distributions:

sudo apt-get update && sudo apt-get upgrade git

2. Verify Certificate:

Identify why the certificate has expired and engage the repository administrator or IT department for a resolution, as managing and renewing certificates is typically their responsibility.

Using the Quick Fix Responsibly:

If you find yourself obliged to use the quick fix:

  • Local Environment Only:

Ensure it is applied only in a secure and controlled environment. Never in a production setting.

  • Limited Time:

Re-enable SSL verification as soon as possible by running

git config --global http.sslVerify "true"

Additional Notes:

  • Quality vs. Security:

As commented by Eric K, having a valid SSL certificate doesn’t equate to the safety of the code you pull. Always ensure code quality and integrity.

  • Engage Experts:

If unsure, consult your IT department or cybersecurity experts regarding expired certificates and any temporary workarounds.

Conclusion:

Security should always be paramount. Adopt solutions that not only solve the immediate problem but also uphold the integrity and security of your development environment and code.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

This solution is irresponsible because it disables all security and puts you and all users of your software at risk.
DO NOT USE THIS - it puts you at a security risk. Read other answers instead and update your Git.
Just balancing out the comments above. This workaround does not disable "all security". It simply means that until reset to "true", you are able to pull from a repo host that has not been maintained correctly and that you should use common sense and ensure that the updates pulled correspond to what would be expected. There are lots of valid SSL certs on repos with very bad code. Simply having a valid SSL cert has nothing to do with the quality or safety of the code you pull.
Consider the solution below (updating git). Not sure if the root cause was the same in my case but the solution worked like a charm. It's probably a better idea to keep your tools up to date than to disable security checks.
Balancing out the comment from @EricK : It's irresponsible to assume that you're connec ting to an incorrectly maintained host. You may not be connecting to the server you're intending to. There may be an attack going on, and that attack might defy your "common sense". Certificates and their verification exists for a reason. Don't turn it off, find out what's going on.
18

Git error in Visual Studio:

PM> git pull
git: fatal: unable to access '**path**/**myrepo**.git': SSL certificate problem: certificate has expired

The cause in my case:
On 9/30/2021, a root certificate expired.
Let's Encrypt - "IdentTrust DST Root CA X3" certificate
https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

Solution:
Update Git for Windows to latest version:

  • Open Git CMD
  • On the command line, type:
    git update-git-for-windows

Or, install the latest version of Git for Windows from: https://git-scm.com/download/win

This solution has worked for several folks I know. However, if you are still experiencing problems, then see also: Git for windows: SSL certificate problem: certificate has expired

Also, here is a good thread relating to this topic:
https://github.com/git-for-windows/git/issues/3450

Improve this answer

1 Comment

This worked for VSCode for me - Had to install latest version of Git for Windows and restart VSCode
7

Visual Studio should be using Git for Windows.

If you can export the certificate chain of your private GitLab server, you can add it to the ca-bundle.crt file in your git folder, in C:\path\to\Git\\usr\ssl\certs.

Update Sept. 2021: Let's Encrypt cross-signed DST Root CA X3 expired a few days ago: see here for more.

March 2022: as Mohammed S. Al Sahaf noted on Twitter, the top upvoted answer (git config --global http.sslVerify "false") is rarely, if ever, a good option.

Git (technically OpenSSL) is confused because Let's Encrypt old root is expired (See: "Let's Encrypt's Root Certificate is expiring!" from Scott Helme, founded @securityheaders/@reporturi, Pluralsight author).

That is not a good excuse to disable the validation!

On Windows, only clients with OpenSSL <= 1.0.2 or Windows < XP SP3 would only trust the IdenTrust DST Root CA X3 certificate.

See also "Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2" from Tomáš Mráz (t8m).

For private instances of GitLab, integrated with Let's encrypt, the expiration of Let's Encrypt certificate can matter.

In any case, do not remove http.sslVerify.
Add the right certificate to your trust store (after double-checking its validity/origin).

Improve this answer

4 Comments

In cmd I generated key with command ssh-keygen -t rsa -C "[email protected]". Then I copied content of file C:\Users\dmitr\.ssh\id_rsa.pub into gitlab's user settings, added title of the key and pressed add button. Should I do anything else? Now it still don't work
@DimaKozyr ssh-keygen has nothing to do with ssl certificates (community.letsencrypt.org/t/…). You need to export the certificate chain from your browser (help.duo.com/s/article/2222?language=en_US)
@VonC While technically true that ssh has nothing to do with ssl certificates, cloning the repository using ssh bypasses the http protocol entirely, thus also fixing the issue.
@JamesWright I agree. SSH is however not in the scope for this question, and the current (Sept/Oct. 2021) SSL issues are most likely related to Let's Encrypt: stackoverflow.com/q/69387175/6309, whose cross-signed DST Root CA X3 expired a few days ago.
5

After updating the git version on the client side, it working fine.

Step 1: Check the version of the git

    > git version

Step 2: Update git on the client system

    > git update
    
    > git version
Improve this answer

Comments

3

I had this problem and my solution was to update the date and time.

Improve this answer

1 Comment

this was. really my problem, thanks for pointing out. +1 from me(which reduces to -1 ur points :D)
2

this was helpfull for me. open terminal:

git config http.sslVerify false
Improve this answer

Comments

-2

I got the problem when I tried to check out the latest updates from gitlab, error message: SSL certificate problem: self signed certificate in certificate chain. This means your gitlb certificate has expired, you need to put the latest cert into the end of current cert.

  1. Go to the https://gitlab....... by Chrome
  2. look at the lock icon before the url, click this icon
  3. see Certificate, and check it's valid (you need this)
  4. click Details, then copy to File
  5. click Next and select "Base-64 encoded)
  6. Save you cert file to some file (e.g. file_1.cert)
  7. Open with Notpad++, then copy all, paste it to end end of your current cert file used by Gitlab
  8. Check out the Gitlab again, it should be OK now
Improve this answer

Comments

-3

Do not use git config --global http.sslVerify "false"

@VonC While technically true that ssh has nothing to do with ssl certificates, cloning the repository using ssh bypasses the http protocol entirely, thus also fixing the issue. – James Wright Oct 4, 2021 at 17:49

Thanks, This works for me.

I originally cloned my repository via https://gitlab.com/repo.git which eventually resulted in the error: fatal: unable to access 'https://gitlab.com/repo.git/': SSL certificate problem: certificate has expired

To fix just clone the project again with SSH.

$ git clone [email protected]:caring/repo.git

Avoid using

$ git clone https://gitlab.com/repo.git

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.