カスタムドメインを追加する前の、ユニークなサブドメインで公開されてる HTTPS なサイトは DigiCert の証明書を使っている。
例: https://automatic-adventure-k6ywp91.pages.github.io/
❯ echo | openssl s_client -connect "automatic-adventure-k6ywp91.pages.github.io:443" | awk '/BEGIN/,/END/' | openssl x509 -noout -issuer -subject -ext subjectAltName
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.pages.github.io
verify return:1
DONE
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.pages.github.io
X509v3 Subject Alternative Name:
DNS:*.pages.github.io, DNS:pages.github.io
カスタムドメインを登録して検証が完了すると、カスタムドメイン用の証明書が発行されて置き換わる。この挙動は証明書プロビジョニングのトラブルシューティング ("Certificate not yet created" (証明書がまだ作成されていません) エラー)で説明されている。
証明書の発行処理中は Web インターフェースにこんなメッセージが表示される。2/3 は一瞬すぎて見えなかったので、どんなメッセージなのかは不明。
証明書が実際に適用されるまでの間は、サイトのホスト名(ドメイン)と証明書の内容が一致しないので当然エラーになる。
例: https://expert-octo-palm-tree.kyanny.work/
❯ echo | openssl s_client -connect "expert-octo-palm-tree.kyanny.work:443" | awk '/BEGIN/,/END/' | openssl x509 -noout -issuer -subject -ext subjectAltName
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.io
verify return:1
DONE
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.io
X509v3 Subject Alternative Name:
DNS:*.github.io, DNS:github.io, DNS:*.github.com, DNS:github.com, DNS:www.github.com, DNS:*.githubusercontent.com, DNS:githubusercontent.com
❯ curl -v https://expert-octo-palm-tree.kyanny.work/ ,* Trying 185.199.111.153:443... ,* Connected to expert-octo-palm-tree.kyanny.work (185.199.111.153) port 443 (#0) ,* ALPN: offers h2,http/1.1 ,* (304) (OUT), TLS handshake, Client hello (1): ,* CAfile: /etc/ssl/cert.pem ,* CApath: none ,* (304) (IN), TLS handshake, Server hello (2): ,* (304) (IN), TLS handshake, Unknown (8): ,* (304) (IN), TLS handshake, Certificate (11): ,* (304) (IN), TLS handshake, CERT verify (15): ,* (304) (IN), TLS handshake, Finished (20): ,* (304) (OUT), TLS handshake, Finished (20): ,* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 ,* ALPN: server accepted h2 ,* Server certificate: ,* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.io ,* start date: Feb 21 00:00:00 2023 GMT ,* expire date: Mar 20 23:59:59 2024 GMT ,* subjectAltName does not match expert-octo-palm-tree.kyanny.work ,* SSL: no alternative certificate subject name matches target host name 'expert-octo-palm-tree.kyanny.work' ,* Closing connection 0 curl: (60) SSL: no alternative certificate subject name matches target host name 'expert-octo-palm-tree.kyanny.work' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
数分経つと証明書が入れ替わって、普通にアクセスできるようになる。
❯ echo | openssl s_client -connect "expert-octo-palm-tree.kyanny.work:443" | awk '/BEGIN/,/END/' | openssl x509 -noout -issuer -subject -ext subjectAltName
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = expert-octo-palm-tree.kyanny.work
verify return:1
DONE
issuer=C = US, O = Let's Encrypt, CN = R3
subject=CN = expert-octo-palm-tree.kyanny.work
X509v3 Subject Alternative Name:
DNS:expert-octo-palm-tree.kyanny.work
