GitHub Pages: Generate SSL certificate for www subdomain when a custom domain is set to an apex (and vice versa)

[jakejarvis]

There's a loooooong discussion over at https://github.community/t5/GitHub-Pages/Does-GitHub-Pages-Support-HTTPS-for-www-and-subdomains/td-p/7116 about this — incorrectly marked as "solved," of course.

When setting a custom domain on a GitHub Pages repo to a root domain, like example.com, a Let's Encrypt certificate for it is generated when Enforce HTTPS is enabled (obviously). But there is absolutely no way to have www.example.com redirect to the root/apex domain example.com with a valid SSL certificate as well.

It absolutely sucks having to add yet another service into the mix just to get https://www.example.com to redirect to https://example.com without showing a certificate warning. It seems like a pretty safe assumption that if someone enters an apex domain then they'll want www to mirror it/redirect to it — wanting different content at @ and www is a super rare edge case (and probably accidental if it does occur, to be honest).

Certain domain registrars and/or DNS providers can do this for free (Google Domains, Cloudflare, etc.) but I'd love to keep things consistent re: hosting...and, of course, my personal DNS provider and many others charge extra for this.

Please add www as an alt name on the LE certificate by default if the user inputs an apex domain as the custom domain!

[gotexis]

meanwhile, for a subdomain, e.g.

subdomain.mydomain.com

When pointing this to githubuser.github.io/repo_name, it doesn't seem that the issued SSL cert works for me.

[jakejarvis]

@gotexis Is your CNAME set to githubuser.github.io/repo_name? If so you only need to point it to githubuser.github.io and then GitHub figures out the repo automatically. :)

[gotexis]

Hey thanks for your response. I found out the problem in my case, turn out the cert was not issued yet as it is stated in the settings, so when I visit the site I got the default gitHub cert which is not valid for my custom domain.

I think although this was resolved by simply waiting a bit longer, it is still a bug

[alkisg]

Same here:

• https://epoptes.org = OK, https://www.epoptes.org = wrong certificate.
• https://ltsp.org = OK, https://www.ltsp.org = wrong certificate.

[anwfr]

Same here: https://www.kycp.org = OK, https://kycp.org = KO

[sahilbadyal]

I don't know if its the same issue or not but my certificate expires every 3 months and then it takes 2 months for automatic renewal. This really sucks.
https://sahilbadyal.com

[hlascelles]

Many sites are currently broken (if you come in on the secure www site) because of this. On a github community page a user has pasted a list of "popular websites currently broken websites to demonstrate how pervasive this issue is in practice".

• https://www.commonmark.org/
• https://www.scikit-learn.org/
• https://www.pytorch.org/
• https://www.selenium.dev/
• https://www.rpm.org/
• https://www.webassembly.org/
• https://www.wkhtmltopdf.org/
• https://www.metaflow.org/
• https://trailofbits.com/
• https://www.microservices.io/
• https://www.semver.org/
• https://www.vue-chartjs.org/
• https://www.flutterowl.com/

[samuelkn]

I think, I finally understood the recommendation of github to redirect example.com to www.example.com through DNS server. Through this, you will always land on github through your www. domain and the single SSL certificate for the custom www-domain is sufficient.
In contrary, it has been suggested and widely accepted to redirect the naked domain (example.com) through an A entry to the IPs github. (see https://stackoverflow.com/questions/9082499/custom-domain-for-github-project-pages). If you agree, could someone with enough reputation (I can't) on stackoverflow post this suggestion?
At least, it worked for me like that.

[JulioV]

Since I was building my site with GA actions, I ended up deploying my ghpages branch with Netlify, zero issues with the SSL certificates and the apex and www domain

[dpwiese]

Agreed on the importance of this request! ☝️

Regarding solutions given this limitation...

Certain domain registrars and/or DNS providers can do this for free (Google Domains, Cloudflare, etc.) but I'd love to keep things consistent re: hosting...and, of course, my personal DNS provider and many others charge extra for this.

To the extent that it's helpful to others, the configuration using Google Domains DNS is via a synthetic record:

It's perhaps not the ideal solution, but with this configuration anyone navigating to the www subdomain will get redirected to the apex, with its SSL certificate via Github pages. This has been an acceptable solution in this case, but not ideal. I hope others may find this useful.

[alimony]

I got this from the GitHub support team today:

There is good news, though: our Pages engineering team has made this a priority issue and is actually working to solve it as we speak. I don't have an ETA for when this will be done, but keep an eye on the Changelog for updates about our ability to issue both certificates for a domain in the hopefully near future.

[joaoportela]

From their documentation:

«If you are using an apex domain as your custom domain, we recommend also setting up a www subdomain. If you configure the correct records for each domain type through your DNS provider, GitHub Pages will automatically create redirects between the domains. For example, if you configure www.example.com as your custom domain for your site, and you have ALIAS and CNAME records set up for the apex and www domains, then example.com will redirect to www.example.com. For more information, see "Managing a custom domain for your GitHub Pages site."»

They recommend doing things like this but it only works without HTTPS. :(

[danilo-znamerovszkij]

https://gist.github.com/amingilani/332f3b5102f65a63719b2b4578b50108

The easiest way is to do it through Cloudflare

[joaoportela]

I ended up going with an alternative solution to danilo, which some might consider simpler.

What we know is:

• Having www.example.com and example.com pointing to github.io works fine without https
• If I enable https on github settings for example.com it breaks www.example.com

To solve this issue, what I did was enable http proxy on cloudflare for www.example.com only. And enable https on cloudflare.
This way, I don't need any rewrite rules or anything.

If I got to www.example.com it will serve the github response (that would otherwise have an invalid cert) that redirects to example.com, which was already working as expected.

It is a bit odd to have www.example.com and example.com using different certificates from different certificate authorities, but it isn't a problem.

[lubo]

From GitHub Pages can now automatically secure the www variant of your custom domain:

When configuring a custom domain for your GitHub Pages site, we will now automatically request a certificate for both the Apex and www subdomain of that custom domain if DNS is configured appropriately.

Has anyone had a chance to test it out on an existing site?

[SVilgelm]

@lubo yes, it works. I configured www as CNAME in DNS with svilgelm.github.io and now the url https://www.vilgelm.com works fine

[TheBoneJarmer]

@lubo yes, it works. I configured www as CNAME in DNS with svilgelm.github.io and now the url https://www.vilgelm.com works fine

Did you literally configured it around the time you wrote your comment? Because I still see a warning page in Firefox but that may be because DNS changes have not been propagated yet. In any case, glad they fixed it. Although I already hosted my site elsewhere, it if turns out this works I may switch.

[SVilgelm]

Did you literally configured it around the time you wrote your comment?

I actually changed it yesterday

[TheBoneJarmer]

Hmm.. Than it should have been updated. I mean, I know it said that DNS changes take 24h to propagate but in practice it happens often faster. As I never visited your website before I doubt it is a cache thing. And I'm curtain as I just installed a now OS yesterday.

[alimony]

I went to my Pages settings (the new page described in the blog post) and saw a series of dialogues telling me a new certificate was being generated:

After a little while it was done, and then waiting ten more minutes or so, it now looks like it works! I can go e.g. to my website using www: https://www.scifiagenda.com/ which redirects to the apex version. Inspecting the certificate I can confirm both www and apex are included in the cert:

It seems like going to the same settings page for my other website triggers that same process.

[SVilgelm]

hmmm, I see the issue in google chrome, changed the www to A type with same IPs as for apex, will see

[alimony]

Per the documentation, and what worked for me, is using CNAME for www and pointing it at username.github.io. In other words, exactly how you had configured it before.

[SVilgelm]

yep, but it didn't work when I changed it yesterday.
Now when I changed to A I saw same message

I think the script didn't work yesterday or was overloaded, but when I changed the dns settings today, GitHub was able to see the changes and generated the certificates.

But now I see this warning:

will changed the DNS back to CNAME

[lubo]

I've just tried it myself and it works. After changing the DNS record for my apex domain, all I had to do was to access Pages settings, where the change in DNS was detected and the message captured by @alimony was displayed. However, the message was not being displayed after refreshing the settings page. Nevertheless, it took just under 10 minutes since seeing that message.

I think this can be closed as fixed.

[SVilgelm]

yep, can be closed

[TheBoneJarmer]

Hey @SVilgelm, I can see your website now. Well done!

[danmana]

Can confirm it works, you just have to be a bit patient after making the changes.

1. I added a CNAME record for www pointing at fxbits.github.io

2. Wait 10-15 minutes for Github to detect the change (I tried enabling/disabling Enforce HTTPS but it didn't seem to have any effect)

3. Once Github detects the change, wait 5-10 minutes to finish generating the certificate
   

4. Wait 10-15 minutes for the certificate to be applied

All in all, it took about 30 min.
Finally, it works https://www.fxbits.io redirects correctly to https://fxbits.io

[yoannchaudet]

Don't hesitate to ping us (the Pages team) at https://github.community/c/github-help/github-pages if you run into issues setting up www variant for a custom domain. This feature shipped recently and we have been doing some work on the backend to smooth things over further.