Is there any way to configure Cloudflare such that GH Pages certificate renewal will succeed? #23632

lukewestby · 2020-10-06T16:25:01Z

lukewestby
Oct 6, 2020

Here is my situation:

I have a GH pages site github.com/myorg/mysite with a custom domain foo.example.com
The DNS for that site is configured in Cloudflare as a CNAME record from foo.example.com to myorg.github.io
This CNAME record is behind Cloudflare’s proxy so that we can do some things with caching
The first time we set up the custom domain, we left the Cloudflare proxy off until GitHub had finished provisioning a TLS cert
Once GitHub generated a cert we then turned on the Cloudflare proxy and enabled Full (Strict) encryption
This worked fine for 3 months, but then GitHub attempted to renew its own cert. This failed because something Cloudflare is doing between the internet and GitHub’s server is causing renewal to fail.

I’m not sure whether GitHub expects the CNAME record to resolve without Cloudflare’s proxy in place, or if there are certain Let’s Encrypt-related endpoints we can exempt from our page rules etc. that would allow renewal to work.

Has anyone had success dealing with this issue?

Answered by tcbyrd

Oct 7, 2020

I’m not sure whether GitHub expects the CNAME record to resolve without Cloudflare’s proxy in place, or if there are certain Let’s Encrypt-related endpoints we can exempt from our page rules etc. that would allow renewal to work.

The former. With the proxy feature turned on, effectively you need to handle TLS certificates at Cloudflare, since the IP that comes back in the DNS query belongs to Cloudflare, not GitHub. This means GitHub can’t successfully obtain a certificate. Cloudflare is able to automatically obtain a certificate for you as well and it works basically the same way, but keep in mind that the GitHub UI will not reflect that it’s on HTTPS since Cloudflare is the one enforc…

View full answer

tcbyrd · 2020-10-07T20:41:53Z

tcbyrd
Oct 7, 2020
Collaborator

I’m not sure whether GitHub expects the CNAME record to resolve without Cloudflare’s proxy in place, or if there are certain Let’s Encrypt-related endpoints we can exempt from our page rules etc. that would allow renewal to work.

The former. With the proxy feature turned on, effectively you need to handle TLS certificates at Cloudflare, since the IP that comes back in the DNS query belongs to Cloudflare, not GitHub. This means GitHub can’t successfully obtain a certificate. Cloudflare is able to automatically obtain a certificate for you as well and it works basically the same way, but keep in mind that the GitHub UI will not reflect that it’s on HTTPS since Cloudflare is the one enforcing those settings. If you disable Cloudflare’s proxy setting and have it do just DNS resolution, GitHub will be able to obtain and enforce the certificate, but you’ll lose some of the features of Cloudflare that require it to be setup as a proxy.

2 replies

MakotoE Feb 10, 2024

I assume that if Cloudflare handles the certificate, the proxy-to-origin connection must be unsecured, right? This would be undesireable and I would rather turn off the proxy.

tcbyrd Feb 14, 2024
Collaborator

If you treat the origin as https://<username>.github.io it can still be https from cloudflare to us. The certificate for that is a wildcard cert we manage for all of *.github.io and doesn't need to be provisioned dynamically. As far as I know this is possible with Cloudflare, although I think it would require more setup than just toggling the orange cloud. You effectively need to tell cloudflare "for my domain, proxy the origin request to https://<username>.github.io".

Jip-Hop · 2020-11-19T17:03:18Z

Jip-Hop
Nov 19, 2020

I’m expecting exactly the same situation. I have a working SSL certificate from GitHub Pages behind Cloudflare now, but I don’t think it will be able to renew itself when it expires. I was hoping there’d be a page rule to configure which would allow renewal. I’ve disabled “Always Use HTTPS” and in combination with page rules it’s possible to renew Let’s Encrypt certificates behind Cloudflare:

Page rule 1

*debeer.it/.well-known*
SSL: Off

Page rule 2

*debeer.it/*
Always Use HTTPS

However this doesn’t work with GitHub Pages. Have you found a way to actually renew the GitHub Pages certificate? I would prefer not to disable the Cloudflare proxy… How about just using “SSL Full” instead of “SSL Full (strict)”? I expect it would continue to work, even after the certificate expires.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Is there any way to configure Cloudflare such that GH Pages certificate renewal will succeed? #23632

{{title}}

Replies: 2 comments 2 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

GitHub Community

Is there any way to configure Cloudflare such that GH Pages certificate renewal will succeed? #23632

lukewestby Oct 6, 2020

Replies: 2 comments · 2 replies

tcbyrd Oct 7, 2020 Collaborator

MakotoE Feb 10, 2024

tcbyrd Feb 14, 2024 Collaborator

Jip-Hop Nov 19, 2020

Page rule 1

Page rule 2

lukewestby
Oct 6, 2020

Replies: 2 comments 2 replies

tcbyrd
Oct 7, 2020
Collaborator

tcbyrd Feb 14, 2024
Collaborator

Jip-Hop
Nov 19, 2020