GitHub Pages: Generate SSL certificate for www subdomain when a custom domain is set to an apex (and vice versa)

[jakejarvis]

There's a loooooong discussion over at https://github.community/t5/GitHub-Pages/Does-GitHub-Pages-Support-HTTPS-for-www-and-subdomains/td-p/7116 about this — incorrectly marked as "solved," of course.

When setting a custom domain on a GitHub Pages repo to a root domain, like example.com, a Let's Encrypt certificate for it is generated when Enforce HTTPS is enabled (obviously). But there is absolutely no way to have www.example.com redirect to the root/apex domain example.com with a valid SSL certificate as well.

It absolutely sucks having to add yet another service into the mix just to get https://www.example.com to redirect to https://example.com without showing a certificate warning. It seems like a pretty safe assumption that if someone enters an apex domain then they'll want www to mirror it/redirect to it — wanting different content at @ and www is a super rare edge case (and probably accidental if it does occur, to be honest).

Certain domain registrars and/or DNS providers can do this for free (Google Domains, Cloudflare, etc.) but I'd love to keep things consistent re: hosting...and, of course, my personal DNS provider and many others charge extra for this.

Please add www as an alt name on the LE certificate by default if the user inputs an apex domain as the custom domain!

[gotexis]

meanwhile, for a subdomain, e.g.

subdomain.mydomain.com

When pointing this to githubuser.github.io/repo_name, it doesn't seem that the issued SSL cert works for me.

[jakejarvis]

@gotexis Is your CNAME set to githubuser.github.io/repo_name? If so you only need to point it to githubuser.github.io and then GitHub figures out the repo automatically. :)

[gotexis]

Hey thanks for your response. I found out the problem in my case, turn out the cert was not issued yet as it is stated in the settings, so when I visit the site I got the default gitHub cert which is not valid for my custom domain.

I think although this was resolved by simply waiting a bit longer, it is still a bug

[alkisg]

Same here:

• https://epoptes.org = OK, https://www.epoptes.org = wrong certificate.
• https://ltsp.org = OK, https://www.ltsp.org = wrong certificate.

[anwfr]

Same here: https://www.kycp.org = OK, https://kycp.org = KO

[sahilbadyal]

I don't know if its the same issue or not but my certificate expires every 3 months and then it takes 2 months for automatic renewal. This really sucks.
https://sahilbadyal.com

[hlascelles]

Many sites are currently broken (if you come in on the secure www site) because of this. On a github community page a user has pasted a list of "popular websites currently broken websites to demonstrate how pervasive this issue is in practice".

• https://www.commonmark.org/
• https://www.scikit-learn.org/
• https://www.pytorch.org/
• https://www.selenium.dev/
• https://www.rpm.org/
• https://www.webassembly.org/
• https://www.wkhtmltopdf.org/
• https://www.metaflow.org/
• https://trailofbits.com/
• https://www.microservices.io/
• https://www.semver.org/
• https://www.vue-chartjs.org/
• https://www.flutterowl.com/

[samuelkn]

I think, I finally understood the recommendation of github to redirect example.com to www.example.com through DNS server. Through this, you will always land on github through your www. domain and the single SSL certificate for the custom www-domain is sufficient.
In contrary, it has been suggested and widely accepted to redirect the naked domain (example.com) through an A entry to the IPs github. (see https://stackoverflow.com/questions/9082499/custom-domain-for-github-project-pages). If you agree, could someone with enough reputation (I can't) on stackoverflow post this suggestion?
At least, it worked for me like that.