05 May 2018

Migrating plain-http Github-Pages to https

Since early May 2018, Github allows https for github-pages with custom domains - which was a longstanding requirement of many users. It was made possible by a cooperation between Github and LetsEncrypt. I'm operating a few sites via github pages, so far all of those lacked https (aim42.org, docs.arc42.org, faq.arc42.org, patterns.arc42.org, venom-story.org, esabuch.de).

Github Pages with custom domains

Up to now, the procedure to serve these sites via Github with a custom domain was the following:
  1. create an A-record in the domain providers' DNS (that's independent of Github) containing Github's IP addresses (they provided two different for availability / scalability reasons)
  2. create a CNAME file in the Github repo containing the domain name in uppercase (oftentimes that was created automatically by the appropriate Github repository settings dialogue.
  3. commit, push and done.

How to Migrate to https

To migrate this to the new https system, follow these steps:
  1. change the DNS A-record(s) at your domain provider to the new Github https address (now they provide four different IP's instead of the previous two) - e.g. 185.199.108.153, 185.199.109.153 etc.
  2. Remove the old CNAME file from your repository, commit and push this deletion to Github.
  3. Open the Github repository settings page and manually enter the domain name.
  4. Wait a few minutes until your certificate is generated - invisible for you.
  5. If you're using Jekyll to generate your site, it's a good idea to change your _config.yml configuration from "http://yourdomain" to "https://yourdomain". That's not absolutely required, but will ensure that Jekyll will use the more secure https protocol for all cross-references on your site.
  6. Now you can check the "enforce https" checkbox - which was disabled until this very last step
That's it. Thanx again Github for making this possible!

Appendix: Why should I do that?

As of July 2018 (with the release of Chrome v68), Google will clearly mark plain-http sites as insecure. See their announcement. Computerworld has written up a few arguments (speed being one of them). Some sources (this one, for example) claim that search engines (especially Google) favour https over http, so your page rank might decrease (!) if you stick with http much longer.

No comments: