Skip to content

User experience issues with Pages Let's Encrypt integration

I enabled Let's Encrypt on a custom domain for the first time and ran into a number of confusing situations. I'm documenting them here before I forget them 😄.

  • Since I was enabling HTTPS, the first thing I did was enable "Force HTTPS", since I wanted my new domain to only be accessible over HTTPS. However, since I already had an existing domain added, this checkbox was disabled. After figuring out why the checkbox was disabled, I removed my existing domains, checked the "Force HTTPS" box, and saved. (This is fixed)
  • This turned out to be the wrong decision (see point below); I should have left this checkbox unchecked. It also meant that I had to work through the DNS verification process again when re-adding my domain, which was a little bit painful.
  • Unfortunately, in order to enable Let's Encrypt, I had to disable the "Force HTTPS" option. With this option enabled, I got a Certificate must be present if HTTPS-only is enabled error message (This is already fixed):

Screen_Shot_2019-07-11_at_9.36.45_AM

I understand the technical reason behind this, but it's unintuitive to disable an HTTPS-related option in order to enable Let's Encrypt.

  • Side note: there are two error messages being shown in the screenshot above; they should probably be separated by a newline or punctuation.

  • Once I worked through the issue above, I was able to flip the Let's Encrypt switch. However, after saving, there was no "in progress" message shown anywhere in the UI. Instead, the UI showed Let's Encrypt as enabled but continued to display the HTTP version of my URL as if nothing had happened. After about 5 minutes, the background Let's Encrypt process completed, and the certificate was shown and the URL was displayed with HTTPS.

  • After the point above, I checked the HTTPS version of my site, but I ran into a certificate error:

Screen_Shot_2019-07-11_at_9.44.25_AM

The certificate being served appears to be for *.gitlab.io instead of my custom domain ts-git.nathanfriend.io.

After about 20-30 minutes, this issue resolved itself, and my site was served with a new, valid certificate! 🎉

Screen_Shot_2019-07-11_at_10.24.12_AM

Problems found:

  1. There was no way to save pages domain with Let's Encrypt enabled if "Force HTTPS" was set to true (Fixed)

  2. It's very hard to find domain settings (Project settings -> pages -> domain details(gray button) -> edit button)

    one of possible solutions
    1. Unify show/edit pages (= get rid of "details" page)
    2. Don't show fields "certificate/key" to a user, and only allow to tweak "use Let's Encrypt" or "upload new SSL certificate" on the edit page. See https://gitlab.com/gitlab-org/gitlab-ce/issues/61752#note_175938958
    3. Replace gray details button with green edit on domains pages: Screenshot_2019-07-12_at_17.46.32

    That would make the path for editing SSL settings much easier! And will also make security team happier since as discussed in that thread we would like to not show certificates and keys to the user.

    As side effect: we can get rid of Haml and js script in favor of Vue and use API.

  3. A very long process of obtaining SSL certificate:

    1. It takes 2-17 minutes currently to obtain a certificate from Let's Encrypt (median time 8.5 minutes)
    2. It takes 0-30 minutes for the certificate to be deployed to pages daemon on gitlab.com(Will be fixed by "Virtual Host changes" in &1316 (closed))

  4. There is no in-progress indication for obtaining SSL certificates(error notifications are also absent ATM, but we constantly retry process)

Edited by Vladimir Shushlin