Here is my situation:
- I have a GH pages site
github.com/myorg/mysite
with a custom domainfoo.example.com
- The DNS for that site is configured in Cloudflare as a CNAME record from
foo.example.com
tomyorg.github.io
- This CNAME record is behind Cloudflare’s proxy so that we can do some things with caching
- The first time we set up the custom domain, we left the Cloudflare proxy off until GitHub had finished provisioning a TLS cert
- Once GitHub generated a cert we then turned on the Cloudflare proxy and enabled Full (Strict) encryption
- This worked fine for 3 months, but then GitHub attempted to renew its own cert. This failed because something Cloudflare is doing between the internet and GitHub’s server is causing renewal to fail.
I’m not sure whether GitHub expects the CNAME record to resolve without Cloudflare’s proxy in place, or if there are certain Let’s Encrypt-related endpoints we can exempt from our page rules etc. that would allow renewal to work.
Has anyone had success dealing with this issue?