Certificate Request Error

GitHub is unable to create a certificate for my custom domain GitHub Pages page. This has worked before, but recently I noticed an certificate error on the page. After reading the documentation, it seemed like I was missing a www CNAME marvk.github.io DNS entry.

After adding this entry, the configuration error on the projects GitHub Pages configuration site got resolved, but I am left with a seemingly properly configured domain, but no certificates being generated.

These are my DNS entries:

And at the content root I have a CNAME file with the content vatprism.org

Barring DNS propagation, which seems to have already happened, I fail to see the issue. Should I just try giving it a bit more time or is there some issue I’m missing?

Thanks in advance.

Hello and welcome here!

You could not have asked at a better time. We actually deployed changes today around certificates handling to correct an entire class of errors that were happening lately.

Your DNS configuration (on the screenshot) looks good. You probably removed it because I am unable to query these records anymore (that would prevent us from obtaining a certificate for your domain). If you want to give it another try, I will be happy to monitor this certificate provisioning for you.

Hey there, thank you! Other than TTL I haven’t touched the records in about 36 hours. The A records have been untouched for months, the only thing I added about 36 hours ago was the CNAME.

On whatismydns.com the propagation seems poor:

However, on dnschecker.com propagation is close to exhaustive:

What method are you using to query the DNS records for the domain?

We use the library we published here: GitHub - github/pages-health-check: Checks your GitHub Pages site for common DNS configuration issues.

And we resolve the DNS records with both Cloudflare (1.1.1.1) and Google (8.8.8.8) if I am not mistaken.

In both cases I am unable to query your DNS zone (e.g. for A records):

I am not familiar with your registrar’s user interface but are you sure your DNS zone is properly published? Some registrar do have a concept of version you need to publish before propagation can start.

Unfortunately my provider wasn’t able to help me out, however, via

ttps://dns.google.com/query?name=vatprism.org&rr_type=A&ecs=

I was able to determine that Google wasn’t accepting the DNS entry because of a DNSSEC issue:

{
  "Status": 2,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": false,
  "CD": false,
  "Question": [
    {
      "name": "www.vatprism.org.",
      "type": 5
    }
  ],
  "Comment": "DNSSEC validation failure. Check http://dnsviz.net/d/www.vatprism.org/dnssec/ and http://dnssec-debugger.verisignlabs.com/www.vatprism.org for errors"
}

After checking the “DNSSEC Status” checkbox on my providers page, the DNS issue went away and shortly after, GitHub started issuing a certificate.

I’m not sure what caused Google to reject the DNS, since all of my other domains don’t have the checkbox checked and resolve without issue on Google.

While my case seems quite specific, I think the user experience on the GitHub Pages page could be improved:

First, it is not transparent when GitHub will try to reissue a certificate, forcing you to clear and re-add the domain as a workaround to manually trigger an attempt at reissuing.

Second, the warning being displayed is quite generic and I’m sure threads like this could be prevented by creating some official documentation.

It sounds like you guys are working on the whole certificate thing at the moment, so I’m sure many of these things are already being worked on.

Thanks for the otherwise excellent service!

Glad to hear you manage to get your certificate provisioned and thank you for the feedback!

We actually do try to obtain certificates on error continuously in the background. It is just not happening as fast as it does when you go to the Pages settings page simply to stay under rate limits imposed by our certificate provider (Let’s Encrypt).

1 Like