@kyanny's blog

My thoughts, my life. Views/opinions are my own.

GitHub Pages のカスタムドメイン用の TLS 証明書は Let's Encrypt

docs.github.com

カスタムドメインを追加する前の、ユニークなサブドメインで公開されてる HTTPS なサイトは DigiCert の証明書を使っている。

例: https://automatic-adventure-k6ywp91.pages.github.io/

❯ echo | openssl s_client -connect "automatic-adventure-k6ywp91.pages.github.io:443" | awk '/BEGIN/,/END/' | openssl x509 -noout -issuer -subject -ext subjectAltName
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.pages.github.io
verify return:1
DONE
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.pages.github.io
X509v3 Subject Alternative Name:
    DNS:*.pages.github.io, DNS:pages.github.io

カスタムドメインを登録して検証が完了すると、カスタムドメイン用の証明書が発行されて置き換わる。この挙動は証明書プロビジョニングのトラブルシューティング ("Certificate not yet created" (証明書がまだ作成されていません) エラー)で説明されている。

証明書の発行処理中は Web インターフェースにこんなメッセージが表示される。2/3 は一瞬すぎて見えなかったので、どんなメッセージなのかは不明。

証明書が実際に適用されるまでの間は、サイトのホスト名(ドメイン)と証明書の内容が一致しないので当然エラーになる。

例: https://expert-octo-palm-tree.kyanny.work/

❯ echo | openssl s_client -connect "expert-octo-palm-tree.kyanny.work:443" | awk '/BEGIN/,/END/' | openssl x509 -noout -issuer -subject -ext subjectAltName
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.io
verify return:1
DONE
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.io
X509v3 Subject Alternative Name:
    DNS:*.github.io, DNS:github.io, DNS:*.github.com, DNS:github.com, DNS:www.github.com, DNS:*.githubusercontent.com, DNS:githubusercontent.com
❯ curl -v https://expert-octo-palm-tree.kyanny.work/
,*   Trying 185.199.111.153:443...
,* Connected to expert-octo-palm-tree.kyanny.work (185.199.111.153) port 443 (#0)
,* ALPN: offers h2,http/1.1
,* (304) (OUT), TLS handshake, Client hello (1):
,*  CAfile: /etc/ssl/cert.pem
,*  CApath: none
,* (304) (IN), TLS handshake, Server hello (2):
,* (304) (IN), TLS handshake, Unknown (8):
,* (304) (IN), TLS handshake, Certificate (11):
,* (304) (IN), TLS handshake, CERT verify (15):
,* (304) (IN), TLS handshake, Finished (20):
,* (304) (OUT), TLS handshake, Finished (20):
,* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
,* ALPN: server accepted h2
,* Server certificate:
,*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.io
,*  start date: Feb 21 00:00:00 2023 GMT
,*  expire date: Mar 20 23:59:59 2024 GMT
,*  subjectAltName does not match expert-octo-palm-tree.kyanny.work
,* SSL: no alternative certificate subject name matches target host name 'expert-octo-palm-tree.kyanny.work'
,* Closing connection 0
curl: (60) SSL: no alternative certificate subject name matches target host name 'expert-octo-palm-tree.kyanny.work'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

数分経つと証明書が入れ替わって、普通にアクセスできるようになる。

❯ echo | openssl s_client -connect "expert-octo-palm-tree.kyanny.work:443" | awk '/BEGIN/,/END/' | openssl x509 -noout -issuer -subject -ext subjectAltName
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = expert-octo-palm-tree.kyanny.work
verify return:1
DONE
issuer=C = US, O = Let's Encrypt, CN = R3
subject=CN = expert-octo-palm-tree.kyanny.work
X509v3 Subject Alternative Name:
    DNS:expert-octo-palm-tree.kyanny.work