HTTPS and GitHub and Me

Tracy Roesler bio photo By Tracy Roesler Comment

Get "hand"-delivered posts.

unsplash-logoJason Blackeye

There are a lot of different ways to host a website. You can run it locally on a server. You can buy Amazon servers. You can use a service, like WordPress or SquareSpace and not worry about there the servers are. If you are using a static site, you can actually leverage Amazon S3 buckets, which I think is neat. My website is a static site that is hosted as a GitHub Page, which is then routed through a custom domain that I own.

I purchased the custom domain through a website that OFFERS to create your own pages for you, but I was too cheap for service. So I went through this way. Unfortunately, as a matter of the service I used + GitHub, I was unable to secure the site via HTTPS.

Until now.

Honestly, it seems kind of ridiculous that a site like mine even NEEDS to be served over HTTPS. With the exception of an email address, there’s nothing else to enter. I take no information from you, and I give only slightly more than that. However, Google marks you down if your site is not secure in their search engine, and just recently they announced their going to make your website look even more suspicious by a glaring red not secure label in a few short months.

Luckily, GitHub came to my rescue by partnering with Let’s Encrypt to support HTTPS for custom domains. (as you may have noticed, my webpage is now a shiny https://techlady.ninja).

GitHub’s documentation on the process is pretty good, but not located all in one place, so I figured I’d do a quick summation, based on a few of their help pages – but put it all in one location.

STEP 1: DNS CONFIGURATION

You need to update your DNS settings wherever you own your domain, as detailed here. If all you’re using is a CNAME, you should be set. If you’re using an A record, you’ll need to update it to point to one of the following IP addresses:

185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153

For some reason, I have both a CNAME and an A record. I’m pretty sure it’s because I had a difficult time getting the routing to work correctly initially so I just tried everything and then it was working so I didn’t want to touch it. (Also, my domain provider is stupid, or I’m stupid so straight CNAME wasn’t working).

STEP 2: CUSTOM DOMAIN UPDATING

Remove and re-add your custom domain on GitHub, as detailed here. I think you have to do this even if you just have a CNAME if your GitHub page is already in use. It was the only way I could get it to trigger the creation of my certificate. It’s a pretty simple process, and can be found at https://github.com/USERNAME/USERNAME.github.io/settings .

STEP 3: WAIT

Once you’ve done that, if you look at the “Enforce HTTPS” button just below that and you’ll probably see a message along the lines of “HTTPS cannot be enforced because the certificate has not been issued”. I thought my certificate would be issued within 24 hours. After 3 days, I bit the bullet and emailed GitHub support. The guy responded REALLY quickly and helped to push things along.

STEP 4: UPDATE YOUR CODE

Once I followed steps 1 and 2, I was able to see content at HTTPS! Victory! Except… the formatting was all wrong. It was not pretty things on HTTPS. Because I serve a static site, I had to go into my config.yml file and update my url to point to the new, secure techlady.ninja. If your website is more involved than mine, you may need to update some of your JS/CSS.

After checking in the change and waiting a few minutes, techlady.ninja looked all better!

STEP 5: ENFORCEMENT

Enforce HTTPS, as detailed here. It’s really just a simple check box back over on your settings side. I find it’s best not to enforce HTTPS until your site is looking like you want it to at that url. Best not to scare the visitors away.

And that’s it! It’s pretty simple, and I’m so grateful to GitHub for making this happen, because it helps me be lazy. It also keeps GitHubs pages as a great solution for your individual websites, even with a custom domain.

Happy securing!

comments powered by Disqus