Apex Domain Issued Invalid Certificate with GitHub Pages Custom Domain #23184
-
With GitHub Pages configured for a custom domain of I am able to successfully access my GitHub pages site from http://www.webvi.io and https://www.webvi.io. I also configured an ANAME record to the FQDN www.webvi.io: Which based on the documentation reproduced as follows:
I find that the address http://webvi.io is correctly redirected, however the address https://webvi.io fails to load and redirect due to a certificate error: If I manually ignore the security error and continue then the redirect will occur to the https://www.webvi.io address. It looks like there was a similar reported issue. Is there some configuration needed to have the https://webvi.io correctly forward to the www? |
Beta Was this translation helpful? Give feedback.
Replies: 10 comments
-
Hi @rajsite, GitHub Pages only generates an SSL certificate for the exact domain you enter in the custom domain input box. This means that only This means that you’ll get a security error when you visit the HTTPS variant of your apex domain https://webvi.io/. You can still bypass this security error and you’ll be redirected to the secure version of your There isn’t a direct workaround for this yet. If you need to have both versions of your domain secured then you will likely need to use an external service that can generate SSL certificates for you and use that in place of GitHub’s certificate generation. Many people have success using Cloudflare for this. The Pages team are aware of it though, and are looking to change this at some point in the future, though I can’t give an estimate on when this will happen as it’s not currently on our public roadmap. |
Beta Was this translation helpful? Give feedback.
-
Hi @thomasshaped, If you look at the link to the similar reported issue this does not seem to be the case in the reverse direction. The existing github project has a custom domain configured for the APEX. Then they configured A records to point to GitHub Pages servers and a CNAME www to their github account From that you can see GitHub Pages issues a certificate for the apex and the www: So is it intended that GitHub Pages will only issue certs for the APEX and the WWW when the custom domain for a project is configured for the APEX? If this is intended then it seems like the following documentation needs a note to emphasize this is an unsupported configuration:
Am I understanding correctly? |
Beta Was this translation helpful? Give feedback.
-
rajsite:
No, GitHub directly doesn’t issue certs for both in either instance. In the instance you mention there is a valid certificate for both, but the certificate for You can “trick” Pages into generating a certificate for both by changing your domain to the |
Beta Was this translation helpful? Give feedback.
-
Thanks for the clarification, I think I have a better understanding of the current expected behavior. For future users I think a temporary note in the documentation would be helpful that describes how users may not see expected behavior with HTTPS enabled when leveraging the GitHub Pages HTTP forwarding feature between a www CNAME and APEX or vice-versa. I appreciate your help! |
Beta Was this translation helpful? Give feedback.
-
Yeah it is a bit confusing when this happens. For what it’s worth though I believe this will be changed at some point in the future—it’s requested constantly!—but I can’t give you a date on when 😅 |
Beta Was this translation helpful? Give feedback.
-
Yes I have also the same problem, it would be great if you could implement it at some point! |
Beta Was this translation helpful? Give feedback.
-
The solution I found was to not use the www CNAME entry to the github website but instead redirect the www of my domain to my webhosting IP address. This way I could generate a SSL certificate with my web hosting provider for my www domain. Then I edited the .htaccess on my website to add redirection conditions from my www domain to my non-www domain. But to do that you need a web hosting service (I am using OVH) |
Beta Was this translation helpful? Give feedback.
-
lhoupert:
If your domain provider supports this it is also a great solution, yeah! Many people host their DNS with Cloudflare and they provide SSL certs that cover both domains, so that may be an option for anyone else stumbling upon this thread. Keep in mind that if you do this though the HTTPS checkbox in your GitHub Pages settings will likely show that your site isn’t secure—even when it is—because GitHub isn’t aware of the SSL certificate generated by an external service. |
Beta Was this translation helpful? Give feedback.
-
I had checked the https checkbox on my github page settings. When checking the ssl certificate I got the results below: Am I right to think that this is ok? |
Beta Was this translation helpful? Give feedback.
-
In your case it shouldn’t matter really, so you should be fine. If your certificate is controlled by your domain provider that cert should continue to be valid. If GitHub had previously generated a certificate for your domain then this will just expire and won’t be renewed, but it shouldn’t cause any problems with your site’s actual SSL certificate generated by your domain provider. Once this GitHub certificate does expire the checkbox in settings may uncheck itself automatically, or even show an error, but your site should continue to work. |
Beta Was this translation helpful? Give feedback.
Hi @rajsite, GitHub Pages only generates an SSL certificate for the exact domain you enter in the custom domain input box. This means that only
www.webvi.io
will be secured. The apex domainwebvi.io
won’t be.This means that you’ll get a security error when you visit the HTTPS variant of your apex domain https://webvi.io/. You can still bypass this security error and you’ll be redirected to the secure version of your
www
subdomain, but the error will still show. This isn’t an issue if you visit the HTTP variant of your apex domain, http://webvi.io/, you won’t see a security error here and will be redirected normally.There isn’t a direct workaround for this yet. If you need to have both …