Automatic Certificate Management with Let's Encrypt applies *.gitlab.io certificate during setup
Summary
When GitLab is applying a Let's Encrypt certificate with the new Automatic Certificate Management in 12.1, during the intermitting time when the certificate is being created, the *.gitlab.io certificate is applied to the custom domain causing security warnings on the user's browser.
Steps to reproduce
- Create a GitLab Page with a custom domain,
custom-domain.com
. - Once all the requirements are met at GitLab Pages integration with Let's Encrypt.
Toggle "Automatic certificate management using Let’s Encrypt".
https://gitlab.com/[project-page]/pages/domains/[page-name]
- Before the certificate is created, access the custom domain with https.
https://custom-domain.com
. A warning appears about an issue with the certificate. A 'standard' *.gitlab.io certificate is applied to the custom domain.
What is the current bug behavior?
The *.gitlab.io certificate is applied to a custom domain, causing security warnings on the user's browser.
What is the expected correct behavior?
During the time before the Let's Encrypt certificate is applied to the custom domain, the https weblinks should be redirected to http.
Possible fixes
When the user requests a Let's Encrypt certificate, nothing should change until the certificate is received. Once the certificate is received, the system can then start to apply the required changes to implement https.
Notes
I do not know if, before requesting a Let's Encrypt certificate and the user tries https://custom-domain.com
will GitLab apply the *.gitlab.io certificate to the custom domain or will it redirect to http?