upgrade to HTTPS

[garrett]

GitHub pages now supports HTTPS for custom domains.

We should upgrade to HTTPS and make it the default.

More information at https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

[garrett]

It looks like we're using A, which requires DNS modification:
https://help.github.com/articles/setting-up-an-apex-domain/#configuring-a-records-with-your-dns-provider

TODO:

• update DNS with the new IPs (HTTPS should automatically work)
• remove & re-add domain to trigger new cert
• "Enforce HTTPS" option in the repo settings (after confirming it works)

[martinpitt]

I locally verified that the IPs in https://help.github.com/articles/setting-up-an-apex-domain/#configuring-a-records-with-your-dns-provider work in general. Of course there is still no valid LE certificate on it, as creating that depends on the official DNS servers pointing to these IPs. But it confirms that changing DNS now won't break anything.

Right now, the IPs are still old indeed:

❱❱❱ dig A cockpit-project.org
cockpit-project.org.	55	IN	A	192.30.252.154
cockpit-project.org.	55	IN	A	192.30.252.153

@sgallagher : Can you please switch them to the four IPs that are mentioned on the above gh page?

 185.199.108.153
 185.199.109.153
 185.199.110.153
 185.199.111.153

Thanks!

[sgallagher]

I just pushed out this change. It may take up to a day to propagate.

[garrett]

I've checked step 1. Let's see how well this works and flip the switch to enforcing in a day (or most likely: next week, due to the holiday weekend).

[sgallagher]

So, after this propagated, I get a certificate validation failure, which is expected because the SSL cert is issued with only the following SAN values:

X509v3 Subject Alternative Name: 
                DNS:www.github.com, DNS:*.github.com, DNS:github.com, DNS:*.github.io, DNS:github.io, DNS:*.githubusercontent.com, DNS:githubusercontent.com

Connecting via https://cockpit-project.github.io works successfully for that connection, however it automatically redirects the browser to http://cockpit-project.org (non-SSL).

[larskarlitski]

Connecting via https://cockpit-project.github.io works successfully for that connection, however it automatically redirects the browser to http://cockpit-project.org (non-SSL).

We need to remove and re-add the custom domain to trigger a new cert. I'll do that later today to give DNS a bit more time.

[martinpitt]

We need to remove and re-add the custom domain to trigger a new cert.

I just did that FYI, DNS looks good from here. No immediate effect yet, it might take a while?

[larskarlitski]

It still didn't work even though DNS returns the right IPs now for me as well. I removed and added the custom domain again.

[martinpitt]

Still no valid certificate, so just temporarily removing and adding the custom domain is clearly not working.

[larskarlitski]

Apparently not. GitHub explicitly mentions this in their docs, though 😞

[garrett]

I contacted GitHub support a little earlier this morning, and they just fixed it & responded back. So now we have a proper certificate, and can (probably) flip HTTPS on by default!

[garrett]

I just flipped the check on, so it should be enforcing HTTPS now.