Github Pages: Let's Encrypt!

github-pages-https-lets-encrypt.md

Please petition Github to support HTTPS on github pages: https://github.com/contact

Here's what I wrote:

Obviously, a lot of people want HTTPS for github pages:

• isaacs/github#156

Until recently, that would be difficult to implement but, as it turns out, the implementation is pretty much complete:

• https://letsencrypt.org
• https://github.com/letsencrypt/lets-encrypt-preview
• https://github.com/letsencrypt/node-acme

I'm a freelancer, so I've got time and I'd love to help out in any way I can (I'd even come work for you at a substandard rate) if we could get this implemented by Let's Encrypt launch day.

You can also send a message to [email protected]

It's worth pointing out that the .app top-level domain (TLD) is launching on May 8th. Particularly notable for this discussion is that the entire TLD is HSTS-preloaded, meaning that HTTPS is required. So it'd be ideal if GitHub's Let's Encrypt integration for custom domains could go live before then, otherwise GitHub customers won't be able to use GitHub to host their .app domain names.

Would love the hive mind to contribute better instructions to switch for anyone with a Jekyll blog, I started http://code.dblock.org/2018/03/07/enabling-ssl-on-github-pages.html.

@dblock I think these instructions only make sense when you are part of the roll-out as far as I see - for a moment I thought there might be a trick you found to force this ;-)

I changed the CNAME for my apex domain, https://dblock.org to sni.github.map.fastly.net, but that doesn't seem to be serving a dblock.org cert for https for dblock.org. I wonder whether there will be a solution for that? Also whether HSTS is going to be enforceable.

@dblock:

• jonwillia.ms works for me if I put it in /etc/hosts (I’m waiting for DNS to propagate) and hit reload in Safari
• I see the correct (“sni" endpoint) ip for dblock.org
• dblock.org does NOT work for me if I put it in /etc/hosts; github serves the plain github cert.
• dblock.org also has an ipv6 address; I have it turned off in my network stack (just a data point)
• Perhaps github checks the DNS configuration on push to determine which cert to present during SNI and caches it. Since I'm doing this today & dblock's repo was pushed 5 days ago, perhaps you encountered older logic. Try pushing?

+1

+1

+1

+1

+1

+1

I also noticed today, that this is already working for one of my (new) domains: https://twitter.com/stefan2904/status/983469050696257537

+1 for Let's Encrypt support

+1

+1 must-have

FTR - I added jan.wildeboer.net as my custom domain name last friday (2018-04-20) and after about an hour I noticed that a letsencrypt certificate had been automagically added and configured. I could switch my .github.io repo to "enforce HTTPS". So it seems they are doing a soft roll-out (for all? A/B testing?) and I expect an official announcement in the next few weeks.

+1

+1

HTTPS is now officially supported on custom domains!
https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

+1024