Is there any way to configure Cloudflare such that GH Pages certificate renewal will succeed?

Here is my situation:

  • I have a GH pages site github.com/myorg/mysite with a custom domain foo.example.com
  • The DNS for that site is configured in Cloudflare as a CNAME record from foo.example.com to myorg.github.io
  • This CNAME record is behind Cloudflare’s proxy so that we can do some things with caching
  • The first time we set up the custom domain, we left the Cloudflare proxy off until GitHub had finished provisioning a TLS cert
  • Once GitHub generated a cert we then turned on the Cloudflare proxy and enabled Full (Strict) encryption
  • This worked fine for 3 months, but then GitHub attempted to renew its own cert. This failed because something Cloudflare is doing between the internet and GitHub’s server is causing renewal to fail.

I’m not sure whether GitHub expects the CNAME record to resolve without Cloudflare’s proxy in place, or if there are certain Let’s Encrypt-related endpoints we can exempt from our page rules etc. that would allow renewal to work.

Has anyone had success dealing with this issue?

I’m not sure whether GitHub expects the CNAME record to resolve without Cloudflare’s proxy in place, or if there are certain Let’s Encrypt-related endpoints we can exempt from our page rules etc. that would allow renewal to work.

The former. With the proxy feature turned on, effectively you need to handle TLS certificates at Cloudflare, since the IP that comes back in the DNS query belongs to Cloudflare, not GitHub. This means GitHub can’t successfully obtain a certificate. Cloudflare is able to automatically obtain a certificate for you as well and it works basically the same way, but keep in mind that the GitHub UI will not reflect that it’s on HTTPS since Cloudflare is the one enforcing those settings. If you disable Cloudflare’s proxy setting and have it do just DNS resolution, GitHub will be able to obtain and enforce the certificate, but you’ll lose some of the features of Cloudflare that require it to be setup as a proxy.