Is there any way to configure Cloudflare such that GH Pages certificate renewal will succeed? #23632
-
Here is my situation:
I’m not sure whether GitHub expects the CNAME record to resolve without Cloudflare’s proxy in place, or if there are certain Let’s Encrypt-related endpoints we can exempt from our page rules etc. that would allow renewal to work. Has anyone had success dealing with this issue? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
The former. With the proxy feature turned on, effectively you need to handle TLS certificates at Cloudflare, since the IP that comes back in the DNS query belongs to Cloudflare, not GitHub. This means GitHub can’t successfully obtain a certificate. Cloudflare is able to automatically obtain a certificate for you as well and it works basically the same way, but keep in mind that the GitHub UI will not reflect that it’s on HTTPS since Cloudflare is the one enforcing those settings. If you disable Cloudflare’s proxy setting and have it do just DNS resolution, GitHub will be able to obtain and enforce the certificate, but you’ll lose some of the features of Cloudflare that require it to be setup as a proxy. |
Beta Was this translation helpful? Give feedback.
-
I’m expecting exactly the same situation. I have a working SSL certificate from GitHub Pages behind Cloudflare now, but I don’t think it will be able to renew itself when it expires. I was hoping there’d be a page rule to configure which would allow renewal. I’ve disabled “Always Use HTTPS” and in combination with page rules it’s possible to renew Let’s Encrypt certificates behind Cloudflare: Page rule 1
Page rule 2
However this doesn’t work with GitHub Pages. Have you found a way to actually renew the GitHub Pages certificate? I would prefer not to disable the Cloudflare proxy… How about just using “SSL Full” instead of “SSL Full (strict)”? I expect it would continue to work, even after the certificate expires. |
Beta Was this translation helpful? Give feedback.
The former. With the proxy feature turned on, effectively you need to handle TLS certificates at Cloudflare, since the IP that comes back in the DNS query belongs to Cloudflare, not GitHub. This means GitHub can’t successfully obtain a certificate. Cloudflare is able to automatically obtain a certificate for you as well and it works basically the same way, but keep in mind that the GitHub UI will not reflect that it’s on HTTPS since Cloudflare is the one enforc…