Github Pages: Let's Encrypt!

github-pages-https-lets-encrypt.md

Please petition Github to support HTTPS on github pages: https://github.com/contact

Here's what I wrote:

Obviously, a lot of people want HTTPS for github pages:

• isaacs/github#156

Until recently, that would be difficult to implement but, as it turns out, the implementation is pretty much complete:

• https://letsencrypt.org
• https://github.com/letsencrypt/lets-encrypt-preview
• https://github.com/letsencrypt/node-acme

I'm a freelancer, so I've got time and I'd love to help out in any way I can (I'd even come work for you at a substandard rate) if we could get this implemented by Let's Encrypt launch day.

You can also send a message to support@github.com

terryburton, how do you know? can you point me to where you saw it?

They deployed SSL on my Github Pages site on February 14. I realized it just as I was done switching to AWS so that I could use SSL with AWS CloudFront. I wish I noticed before, I wouldn't have spent the time to migrate.

You can check it out while it is still live, but I have completed the switch to AWS so the certificate on www.alexandreviau.net will soon be an Amazon-signed certificate.

+1

We've also been migrated over at https://www.python-summit.ch/. The cert is by Let's Encrypt and the server is Github's:

dig www.python-summit.ch +short

swisspy.github.io.
sni.github.map.fastly.net.
151.101.121.147

http --headers https://www.python-summit.ch

HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Age: 297
Cache-Control: max-age=600
Connection: keep-alive
Content-Encoding: gzip
Content-Length: 4381
Content-Type: text/html; charset=utf-8
Date: Thu, 01 Mar 2018 13:47:51 GMT
Expires: Thu, 01 Mar 2018 10:57:24 GMT
Last-Modified: Thu, 22 Feb 2018 10:10:37 GMT
Server: GitHub.com
Vary: Accept-Encoding
Via: 1.1 varnish
X-Cache: HIT
X-Cache-Hits: 1
X-Fastly-Request-ID: 363b386d720e7e6c82e9b5c480e418cf09475732
X-GitHub-Request-Id: 284E:17563:2AAB3A3:3C09ED3:5A97DA3C
X-Served-By: cache-ams4130-AMS
X-Timer: S1519912071.406092,VS0,VE1

+1

+1, highly important feature

@terryburton do you have a link to where you got this information from?
@aviau did you trigger this somehow? I just tried for walleth (http://walleth.org / https://walleth.org / https://github.com/walleth/walleth.github.com) am still seeing this:

@href did you do something special?

No, I basically discovered that our domain had a cert all of a sudden.

@href: thanks for the info!

Just had a very friendly reply from the github staff/support:

Hi ligi,

As you've discovered, some GitHub Pages sites have been issued SSL certificates from Let's Encrypt, enabling HTTPS for your custom domain. This isn't officially supported yet and it's not possible for you to enable and enforce it on your sites at this time.

We know how important secure browsing is for our users, but we don't have anything official to announce at this time. If and when this feature is officially released, we will announce it on our blog:

https://github.com/blog

Let us know if you have other questions!

Thanks,
Thomas
GitHub Support

and:

Hey ligi,

Can I quote this email you send me in the gist so other users will not bother you?

Sure, go ahead! That's our official statement right now, and hopefully we'll have some more news to share in the very near future.

We're really happy to see people are so excited about this finally happening (I am too, it's been a long time coming!) and I really hope we can get this out soon, once we squash a few more bugs of course!

Thanks,
Thomas
GitHub Support

looking forward to it - @ghithub <3

It's worth pointing out that the .app top-level domain (TLD) is launching on May 8th. Particularly notable for this discussion is that the entire TLD is HSTS-preloaded, meaning that HTTPS is required. So it'd be ideal if GitHub's Let's Encrypt integration for custom domains could go live before then, otherwise GitHub customers won't be able to use GitHub to host their .app domain names.

Would love the hive mind to contribute better instructions to switch for anyone with a Jekyll blog, I started http://code.dblock.org/2018/03/07/enabling-ssl-on-github-pages.html.

@dblock I think these instructions only make sense when you are part of the roll-out as far as I see - for a moment I thought there might be a trick you found to force this ;-)

I changed the CNAME for my apex domain, https://dblock.org to sni.github.map.fastly.net, but that doesn't seem to be serving a dblock.org cert for https for dblock.org. I wonder whether there will be a solution for that? Also whether HSTS is going to be enforceable.

@dblock:

• jonwillia.ms works for me if I put it in /etc/hosts (I’m waiting for DNS to propagate) and hit reload in Safari
• I see the correct (“sni" endpoint) ip for dblock.org
• dblock.org does NOT work for me if I put it in /etc/hosts; github serves the plain github cert.
• dblock.org also has an ipv6 address; I have it turned off in my network stack (just a data point)
• Perhaps github checks the DNS configuration on push to determine which cert to present during SNI and caches it. Since I'm doing this today & dblock's repo was pushed 5 days ago, perhaps you encountered older logic. Try pushing?

+1

+1

+1

+1

+1

+1

I also noticed today, that this is already working for one of my (new) domains: https://twitter.com/stefan2904/status/983469050696257537

+1 for Let's Encrypt support

+1

+1 must-have

FTR - I added jan.wildeboer.net as my custom domain name last friday (2018-04-20) and after about an hour I noticed that a letsencrypt certificate had been automagically added and configured. I could switch my .github.io repo to "enforce HTTPS". So it seems they are doing a soft roll-out (for all? A/B testing?) and I expect an official announcement in the next few weeks.

+1

+1

HTTPS is now officially supported on custom domains!
https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

+1024