
Free SSL on Github Pages with a custom domain: Part 2 – Let's Encrypt - bartdegoede
https://bart.degoe.de/github-pages-and-lets-encrypt/
======
blaze33
Interesting, as it wasn't possible to have https and a custom domain in the
past, I'm using Cloudflare with the flexible https & enforce https settings.

Though in github, the "enforce https" is greyed out and says: "Unavailable for
your site because your domain is not properly configured to support HTTPS
(lab.openbloc.fr)". Does anyone knows what isn't actually "properly
configured"? I have a CNAME file in the repo containing "lab.openbloc.fr".

The help says "If you're updating an existing custom domain, first remove and
then re-add your custom domain to your GitHub account to trigger the process
of enabling HTTPS." but the option is still disabled.

~~~
dayvidwhy
In your position I did these things; \- Removed the CNAME record; \- Changed
my A records to point to githubs https ip's \- Deleted the site from
cloudflare \- Purged my cache for the site in chrome (chrome appears to
remember who your site has its cert with for a bit?) \- Profit

------
teolandon
I'm hosting my webpage on GitHub Pages, with a custom domain. Back when I set
it up, Let's Encrypt would not work with GitHub Pages so instead I simply put
my page on Cloudflare. Should I spend the time and set it up again but with
Let's Encrypt? I've heard people say bad stuff about Cloudflare, but dismissed
it since my page is really just a blog.

~~~
scrollaway
It doesn't really matter for a blog without auth, but when you are using
cloudflare's https, the connection is not encryptes between CF and GitHub, so
it's not end to end encrypted.

I recommend simply migrating even if you keep the DNS itself on cloudflare.
It's a good exercise if nothing else.

~~~
icebraining
It can be encrypted if you're using Full SSL on Cloudflare[1], but it's not
authenticated, meaning anyone actively MITMing the connection between CF and
GH could easily read and change the traffic. That said, it's not any script-
kiddie who can MITM a connection between two DCs, so I think it's hardly a
grave threat.

I think the only real gain is not allowing CF itself to see who is accessing
your blog.

[1] [https://support.cloudflare.com/hc/en-
us/articles/200170416-W...](https://support.cloudflare.com/hc/en-
us/articles/200170416-What-do-the-SSL-options-mean-)

~~~
scrollaway
You can't use full ssl with let's encrypt, which is fundamentally incompatible
with proxying.

But yes as I said it doesn't matter for a blog in practice.

~~~
icebraining
_You can 't use full ssl with let's encrypt, which is fundamentally
incompatible with producing._

I don't understand this statement, sorry.

~~~
scrollaway
Phone autocorrected :) I meant proxying.

~~~
icebraining
Ah, ok. But how so? You can get a LE cert as long as you can serve a file in
the correct URL, or set a certain DNS record. I don't see why proxying would
prevent that.

~~~
scrollaway
Oh, of course. I was thinking of Let's Encrypt's DNS-based authentication
since that's the only thing I use nowadays (though of course Github isn't
using that). Ignore me.

------
cdancette
The only thing that annoys me about github pages or netifly is the lack of
traffic analytics (number of visits, location..). There isn't a single metric
we can have access to. Cloudflare gives minimal but useful analytics

~~~
delta1
Why not use Google (or other) analytics?

~~~
deafcalculus
Huge percent of the audience blocks GA.

------
negativegate
Does anyone have this working for both the www subdomain and the root domain?
I have the www subdomain working fine, but I get an invalid cert error when
attempting to access the root domain with HTTPS. The cert it's attempting to
use is for www.github.com .

~~~
saagarjha
You may not have had a certificate issued for your domain yet. The steps I
went through for this were changing the CNAME, which made GitHub go try to get
a new certificate for me.

~~~
negativegate
It issued a certificate for the www subdomain which is working fine. I need it
to issue one for the root domain too.

------
theden
I just recently decided to move my GitHub pages with custom domains to netlify
([https://www.netlify.com/](https://www.netlify.com/)), since it offered free
out of the box SSL (let's encrypt).

Kinda wish I waited, but it's good that they finally support it.

~~~
coleschifer
I did the same thing with about 5 websites.

------
sideproject
Perhaps I missed, but is it possible for anyone to use this "agent" to offer
this type of service?

~~~
tialaramex
Are you asking whether Github is offering their agent software for others to
use? Or just whether, in general, there are agents which can make use of Let's
Encrypt?

The answer to the latter is yes, of course, a wide variety of suitable
software exists, including shell scripts like
[https://acme.sh/](https://acme.sh/) the "official" Certbot Python code and
software like Caddy which implements this feature right inside a web server.

------
codedokode
I've tested, it works awesomely. But does it mean that anyone who got
temporary access to your DNS can issue certificates and MITM your traffic? It
should not be this way.

~~~
mpnordland
It was always that way. Let's encrypt actually improves this by only handing
out short lived certs.

------
bernardino
The best play is to host on Github and deploy Netlify.

I’ve previously used to do Cloudfare for SSL, but someone on here convinced me
on Netlify.

~~~
icebraining
Now that GH supports SSL natively, why use Netlify?

~~~
forcemajeure
Netlify is designed for hosting so has richer functionality.

[https://www.netlify.com/github-pages-vs-
netlify/](https://www.netlify.com/github-pages-vs-netlify/)

------
RyanShook
Is it possible to set up SSL thru GitHub and also use Cloudflare?

~~~
dayvidwhy
yeah you could setup the github ssl as per their instructions, then put
cloudflare in front of it. See their options here
[https://support.cloudflare.com/hc/en-
us/articles/200170416-W...](https://support.cloudflare.com/hc/en-
us/articles/200170416-What-do-the-SSL-options-mean-)

I was previously using the partial ssl option and am quite happy that I don't
have to continue with this pseudo ssl that has an unsecure link.

