This is an issue with gnutls that’s fixed in EOS 3.8 and newer. So, you’re kind of in a bind until you can get an OS upgrade. Both ostree and wget use gnutls rather than openssl.
I haven’t tested this yet, but I think this should work. First, pull the OS upgrade while temporarily using the http:// URL rather than the https:// URL:
sudo ostree pull --url=http://ostree.endlessm.com/ostree/eos eos os/eos/amd64/eos3a
Now just do the upgrade without trying to pull the OS again:
sudo ostree admin upgrade --deploy-only
I haven’t tested this step yet. After that you’d reboot into the new OS where gnutls doesn’t have this bug.
The other way is just to edit the URLs in /ostree/repo/config to use http://ostree.endlessm.com, but you’d really want to change that back later after rebooting into the upgraded OS.