Hi, indeed looks to be broken, even though my browser still doesn't complain the openssl command sure does: $ openssl s_client -showcerts -verify_return_error -4 -connect gitlab.haskell.org:443 < /dev/null CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = gitlab.haskell.org verify error:num=10:certificate has expired notAfter=Feb 14 23:21:04 2021 GMT 140217764021376:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: --- no peer certificate available --- No client certificate CA names sent Server Temp Key: X25519, 253 bits --- SSL handshake has read 2594 bytes and written 317 bytes Verification error: certificate has expired --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 10 (certificate has expired) --- FYI I wrote a super simple monitoring script using faketime+openssl to prevent this sort of thing from happening in case you guys are interested: https://meta.it-syndikat.org/t/tls-monitoring-fur-unsere-infrastruktur/2492 The description is in German unfortunately, but the script itself is commented in English of course ;) We install this as a cron.daily job and use a cron monitoring make sure the script runs, but I suspect if you're not worried about the "it actually ran" part cron's default emails would work just as well. --Daniel On Sun, Feb 14, 2021 at 11:37:45PM +0000, Richard Eisenberg wrote:

Hi Ben,

It looks like the Let's Encrypt certificate for gitlab.haskell.org http://gitlab.haskell.org/ has expired, as of about 15 minutes ago. I guess it's time to renew.

Thanks, Richard

Richard Eisenberg writes:

Hi Ben,

It looks like the Let's Encrypt certificate for gitlab.haskell.org http://gitlab.haskell.org/ has expired, as of about 15 minutes ago. I guess it's time to renew.

Thanks for the ping. In principle this happens automatically but it seems that we were hit by a NixOS bug [1]. Anyways, I've worked around it for now and things should be back to normal. Cheers, - Ben [1] https://github.com/NixOS/nixpkgs/issues/101445