Is there any way to configure Cloudflare such that GH Pages certificate renewal will succeed?

lukewestby · October 6, 2020, 4:26pm

Here is my situation:

I have a GH pages site github.com/myorg/mysite with a custom domain foo.example.com
The DNS for that site is configured in Cloudflare as a CNAME record from foo.example.com to myorg.github.io
This CNAME record is behind Cloudflare’s proxy so that we can do some things with caching
The first time we set up the custom domain, we left the Cloudflare proxy off until GitHub had finished provisioning a TLS cert
Once GitHub generated a cert we then turned on the Cloudflare proxy and enabled Full (Strict) encryption
This worked fine for 3 months, but then GitHub attempted to renew its own cert. This failed because something Cloudflare is doing between the internet and GitHub’s server is causing renewal to fail.

I’m not sure whether GitHub expects the CNAME record to resolve without Cloudflare’s proxy in place, or if there are certain Let’s Encrypt-related endpoints we can exempt from our page rules etc. that would allow renewal to work.

Has anyone had success dealing with this issue?

tcbyrd · October 19, 2020, 1:23pm

I’m not sure whether GitHub expects the CNAME record to resolve without Cloudflare’s proxy in place, or if there are certain Let’s Encrypt-related endpoints we can exempt from our page rules etc. that would allow renewal to work.

The former. With the proxy feature turned on, effectively you need to handle TLS certificates at Cloudflare, since the IP that comes back in the DNS query belongs to Cloudflare, not GitHub. This means GitHub can’t successfully obtain a certificate. Cloudflare is able to automatically obtain a certificate for you as well and it works basically the same way, but keep in mind that the GitHub UI will not reflect that it’s on HTTPS since Cloudflare is the one enforcing those settings. If you disable Cloudflare’s proxy setting and have it do just DNS resolution, GitHub will be able to obtain and enforce the certificate, but you’ll lose some of the features of Cloudflare that require it to be setup as a proxy.

Jip-Hop · November 19, 2020, 5:03pm

I’m expecting exactly the same situation. I have a working SSL certificate from GitHub Pages behind Cloudflare now, but I don’t think it will be able to renew itself when it expires. I was hoping there’d be a page rule to configure which would allow renewal. I’ve disabled “Always Use HTTPS” and in combination with page rules it’s possible to renew Let’s Encrypt certificates behind Cloudflare:

Page rule 1

*debeer.it/.well-known*
SSL: Off

Page rule 2

*debeer.it/*
Always Use HTTPS

However this doesn’t work with GitHub Pages. Have you found a way to actually renew the GitHub Pages certificate? I would prefer not to disable the Cloudflare proxy… How about just using “SSL Full” instead of “SSL Full (strict)”? I expect it would continue to work, even after the certificate expires.