41 comments

[ 2.9 ms ] story [ 103 ms ] thread
My site says "Unavailable for your site because your domain is not properly configured to support HTTPS", but I don't see instructions to resolve it?
If your site is configured with A records, you’ll need to change the IPs it’s pointing to before you’ll be able to get a cert:

185.199.108.153 185.199.109.153 185.199.110.153 185.199.111.153

From: https://help.github.com/articles/setting-up-an-apex-domain/

EDIT: You’ll also need to remove and re-add the domain in the repository settings after doing that too to trigger it to request a cert.

Can you expand on how to perform the steps added in your edit? Thanks!
Go to the GitHub pages section of the repo settings, delete your domain name from the custom domain input, hit save, then add it back and save again.

If it’s still not working after that the you can contact support and they can press a button on the back end to trigger a cert request.

Didn't work for me. Might have something to do with the fact that I also have a CNAME file in my repo. I'll reach out to support
How long have you waited? For a while (After updating to their new IPs and enabling/disabling custom domain) it said it was unavailable, but then after 60-90 minutes both of my repos are now in "Not yet available for your site because the certificate has not finished being issued" state.

I guess I'll have a better idea tomorrow if it worked or not but for now I'm hoping this is just my repos working their way through github's cert queue.

* I also have CNAME files in my projects.

Could you please update us once it's done? I have got exactly the same issue.
I use Cloudflare to get HTTPS on my github pages site, and I really like it. I get a lot of control over cached content and security, and statistics about site traffic. I am kind of happy that GitHub did not support HTTPS for custom domains, because then I would not have learned how to use Cloudflare.
I use Cloudflare on my GitHub pages site, but never saw a HTTPS option. How do you enable that? (and now with GitHub providing certs, is it a better idea to use theirs?)
Cloudflare's dynamic https would add https on the USER->Cloudflare side of communications.
Cloudflare's HTTPS certificate is shared, which means that your website will share it with other dubious websites.

I'm looking at a website on which I have Cloudflare enabled and my certificate is being shared with about 24 other domains. For somebody that knows what HTTPS is about and what it protects against, that's not acceptable. We only accepted it because we find it as being a reasonable compromise given the alternative.

So why isn't Cloudflare generating Lets Encrypt certificates, instead of these shared ones? Given their fast response in pursuing other endeavors, my guess is that they need incentives for people to move to their business plans.

Therefore I'm glad that GitHub Pages can have HTTPS enabled for custom domains. It means I can now turn off CloudFlare.

I'm so glad in fact that I started paying GitHub for a $7 account, even though I don't currently have a need for private repos.

What exactly is the problem? Amazon does the same as well, I believe.

The private keys are never given to you, or other sites. It is all within Cloudflare’s edge.

What's unacceptable? There's nothing insecure about sharing a certificate among multiple hostnames.

Also you can get a dedicated certificate on the free plan for $5/month.

$5/month is $60/year, which is ridiculous.

I maintain 5 websites hosted on 5 different domains (blog in English, blog in native language and 3 project websites). The cost of 5 certificates would be $300 per year, or $25 per month.

Right now I'm paying $0 for the certificates of those 5 domains, thanks to Lets Encrypt.

I've been hosting them myself on a Digital Ocean VPS, with really low maintenance, since the machine is updating itself and the websites get built and deployed via Travis. Now I'm moving them to GitHub Pages and my hosting cost will also be zero.

The certificates are already free, Cloudflare offered them long before LetsEncrypt. You seem to want a dedicated certificate which is what costs money, likely because of their scale and existing integrations. There is no improved security with a dedicated certificate.

You can also host on github pages while using Cloudflare for the custom domain, which is already the most common setup on github for several years now.

If there's nothing wrong with those shared certificates, then CloudFlare wouldn't offer "custom certificates" as a $5/month upgrade.

> You can also host on github pages while using Cloudflare for the custom domain, which is already the most common setup on github for several years now.

Yes, because GitHub Pages was not offering HTTPS for custom domains. Now they do, so that need is gone.

Yes, because people want more, like having multiple levels of subdomains as the free one only supports a single level.

Security is absolutely not an issue with a shared certificate and Cloudflare wouldn't get far as a company if they had an insecure product. Why don't you actually explain what you think is so problematic about sharing a cert?

This is great! Now, if only GitHub would be available via IPv6, that would remove the need for CloudFlare — not that I would necessarily remove CloudFlare, but I would feel better if my setup wasn’t dependent on it.
Can you host multiple HTTPS sites at different domains from one GitHub account?
You get a site per repository!
Could this be related to Google's recent announcement of the .app TLD with mandatory HTTPS[0]?

[0]: https://www.blog.google/topics/developers/introducing-app-mo...

Too little, too late.

I moved my repo to GitLab pages after Google announced it would prioritise sites that support HTTPS in its search results.

You're wildly underestimating how difficult it is to roll out such a change in a backwards-compatible way. It's not like Github did this today after neglecting the feature request for years; they've been on public record at least many months ago saying that they were working on it.

Even if only 1% of users were unable to access a site after the switch to HTTPS, the amount of calls to Github support would be massive.

HTTPS does work for my site now, but I get this warning:

Your connection is not secure / Your connection is not private

Error code: SSL_ERROR_BAD_CERT_DOMAIN (Firefox)

NET::ERR_CERT_COMMON_NAME_INVALID (Chrome)

Trying adding the A records as described here:

https://help.github.com/articles/setting-up-an-apex-domain/

Will update if that works..

I get that warning if I go to https://mycustomdomain.com but I don't if I go to https://www.mycustomdomain.com
It is the same for my domain. Seems to be a bug.
Same here. Redirect from http -> https works fine tho.
I contacted GitHub support about this already. I hope this gets resolved soon.
So, I received an answer from GitHub support, that they tested it, and that all forms of my domain are working now. And indeed, when I tested it again myself, also the apex version of my domain will bring me to the page, without any warnings.

However, https://mydomain.com and https://www.mydomain.com have different SSL certificates. Is this supposed to happen? I assumed that the apex is just a forward to the www subdomain.

It turns out that the apex for me now works only by accident, because I temporarily changed my custom domain to the apex form. This certificate will not get renewed, however. Only the domain that is active gets a certificate.

That means that with https enabled it is no longer pssible to have the apex and www form of a custom domain work simultaneously at a GitHub page! One needs to decide for one or the other.

As a workaround it was suggested to me to create a CNAME record from www to apex at the domain hoster. This, however, will not work for those of us who want to have it the other way around, that is, the apex pointing to the www form of the domain.

I was told that GitHub might consider other solutions in the future.

This is because they have to check your A records and generate the certificate and from my observations that happens when you add the custom domain.

After I've set the A records, I removed the custom domain from GitHub's Settings and then re-added it.

It started working afterwards.

I did that, and still not working. After setting A records, re-entering custom domain and waiting for few minutes, I get this message in Settings of GH-pages `Domain's DNS record could not be retrieved`. Bummer. Maybe I was to eager to remove Cloudflare from the equation.
I've been doing HTTPS on hosted domains for years, and I don't really get how it works in this case. Is it that you don't use your own certificate, but GitHub automatically generates one with Let's Encrypt for you? If not, then how exactly do you give GitHub your cert? The instructions seem vague on this.
You check a checkbox and they generate a cert for your domain. Simple.