User experience issues with Pages Let's Encrypt integration
I enabled Let's Encrypt on a custom domain for the first time and ran into a number of confusing situations. I'm documenting them here before I forget them
-
Since I was enabling HTTPS, the first thing I did was enable "Force HTTPS", since I wanted my new domain to only be accessible over HTTPS. However, since I already had an existing domain added, this checkbox was disabled. After figuring out why the checkbox was disabled, I removed my existing domains, checked the "Force HTTPS" box, and saved.(This is fixed)
This turned out to be the wrong decision (see point below); I should have left this checkbox unchecked. It also meant that I had to work through the DNS verification process again when re-adding my domain, which was a little bit painful.
-
Unfortunately, in order to enable Let's Encrypt, I had to disable the "Force HTTPS" option. With this option enabled, I got a(This is already fixed):Certificate must be present if HTTPS-only is enabled
error message
I understand the technical reason behind this, but it's unintuitive to disable an HTTPS-related option in order to enable Let's Encrypt.
- Side note: there are two error messages being shown in the screenshot above; they should probably be separated by a newline or punctuation.
-
Once I worked through the issue above, I was able to flip the Let's Encrypt switch. However, after saving, there was no "in progress" message shown anywhere in the UI. Instead, the UI showed Let's Encrypt as enabled but continued to display the HTTP version of my URL as if nothing had happened. After about 5 minutes, the background Let's Encrypt process completed, and the certificate was shown and the URL was displayed with HTTPS.
-
After the point above, I checked the HTTPS version of my site, but I ran into a certificate error:
Problems found:
-
There was no way to save pages domain with Let's Encrypt enabled if "Force HTTPS" was set to true(Fixed) -
It's very hard to find domain settings (
Project settings -> pages -> domain details(gray button) -> edit button
)one of possible solutions
- Unify
show/edit
pages (= get rid of "details" page) - Don't show fields "certificate/key" to a user, and only allow to tweak "use Let's Encrypt" or "upload new SSL certificate" on the
edit
page. See https://gitlab.com/gitlab-org/gitlab-ce/issues/61752#note_175938958 - Replace gray
details
button with greenedit
on domains pages:
That would make the path for editing SSL settings much easier! And will also make security team happier since as discussed in that thread we would like to not show certificates and keys to the user.
As side effect: we can get rid of Haml and js script in favor of Vue and use API.
- Unify
-
A very long process of obtaining SSL certificate:
- It takes
2-17 minutes
currently to obtain a certificate from Let's Encrypt (median time8.5 minutes
) - It takes 0-30 minutes for the certificate to be deployed to pages daemon on gitlab.com(Will be fixed by "Virtual Host changes" in &1316 (closed))
- It takes
-
There is no
in-progress
indication for obtaining SSL certificates(error
notifications are also absent ATM, but we constantly retry process)