No HTTPS support

[konklone]

https://code.mil presents a certificate warning saying that it's not valid for the correct hostname, since GitHub Pages doesn't support HTTPS for custom domains.

Code.mil should terminate TLS separately, and either proxy from there to GitHub Pages (in the clear, but at least not part of user connections), or host the content yourselves. It's not like you're hosting an often-changing piece of content -- it's just a redirect instruction.

(You could probably set up a cloud.gov account pretty quickly if you wanted to, which supports automatic HTTPS for custom domains, but this isn't meant as a product pitch. HTTPS is just important.)

[BrandonBouier]

Thanks for the input! We'll take a look at it.

[tomberek]

@konklone : cloud.gov seems to work well: http://dds-codemil.app.cloud.gov and https://dds-codemil.app.cloud.gov

I've also been looking at the cloudflare, but I'm not sure what the rules are for that.

[seanenck]

the cloudflare that just had a huge leak that is a big deal unless you believe the company that just massively screwed up that everything is rainbows and happiness? I mean, I would hope that wouldn't be in the running here.

[konklone]

I would still happily recommend CloudFlare to federal agencies. Their response was solid and they have a great track record of security.

However, proxying from CloudFlare to the origin in cleartext is un-ideal, so direct hosting would be better.

[andrewgdunn]

might not want to forcibly design in a MITM, even if it solves and immediate problem it can lead to issues down the road.

edit: the DoD also has their own CA. It's not really the best way to garner support from the upstream community and I'd recommend against using it. A legitimate options would be seeking LE certs, but you'd have to have a termination endpoint someplace (that wasn't github).

[jordangov]

This is obviously a really old issue, but just as an FYI, we haven't lost site of this, but it's not going to happen for the current redirect. We're targeting this for the launch of the full code.ml website (soon ish).

[konklone]

👍 As a note, DoD recently authorized the use of DV commercial certificates, which could make it easier to obtain a quick-and-dirty cert and get it in place.

[jordangov]

Yep, we're working with the policy folks to make this a reality. Not quite there yet, but close (we think).

[lukefretwell]

Go @konklone! :-)

Any update on resolving this?

[konklone]

Note -- Let's Encrypt now supports .mil certificates:
letsencrypt/boulder@dae0e4e

You can see one in action already by the Navy (through a GSA shared service, Search.gov, that issues them for custom domains):

https://search.navy.mil/search?query=boats&btnG=%C2%A0&utf8=%E2%9C%93&affiliate=navy_all

[hlieberman-gov]

Yup — also live on code.mil. -- Harlan Lieberman-Berg Defense Digital Service

[konklone]

@hlieberman-gov I don't see it on my phone - is it only on code.mil but not www.code.mil?

[konklone]

To answer my own question, it looks like yes - the only cert for code.mil lacks the www SAN: https://crt.sh/?id=326566888

[jordangov]

This. Is. Live.

HTTPS://code.mil
(and HTTPS://www.code.mil)

Big thanks to @hlieberman-gov.

[konklone]

Congrats, all! 🎉