site should be served over https and not http - some web browsers will not (soon or now) allow access to insecure sites.

[Nick-Tallguy]

https://help.github.com/articles/securing-your-github-pages-site-with-https/ provides simple instructions on how to update the site.

The staging site at https://github.com/Nick-Tallguy/Nick-Tallguy.github.io has been checked, and the files in the layouts folder now all refer to https

[michael63-osm]

We have a DNS issue here.

from the GitHub documentation:

DNS record doesn't point to GitHub's server

In order to serve the Page, your DNS records must point to GitHub's server. To confirm that your custom domain points to GitHub's servers, use the dig command with your custom domain. The dig command shows you where your custom domain points. For example:

dig example.com +nostats +nocomments +nocmd example.com. 3600 IN A 185.199.108.153 In the example above, example.com points to the IP address 185.199.108.153.

If you configured A records through your DNS provider, your A records must point your custom domain to the following IP addresses:

185.199.108.153 185.199.109.153 185.199.110.153 185.199.111.153 Notes:

This is true for the staging site where https works perfectly

mh:~> dig nick-tallguy.github.io +nostats +nocomments +nocmd

; <<>> DiG 9.10.3-P4-Ubuntu <<>> nick-tallguy.github.io +nostats +nocomments +nocmd
;; global options: +cmd
;nick-tallguy.github.io.                IN      A
nick-tallguy.github.io. 3203    IN      CNAME   sni.github.map.fastly.net.
sni.github.map.fastly.net. 293  IN      A       185.199.111.153
sni.github.map.fastly.net. 293  IN      A       185.199.108.153
sni.github.map.fastly.net. 293  IN      A       185.199.109.153
sni.github.map.fastly.net. 293  IN      A       185.199.110.153

You may see a different IP address, since we serve Pages with a global Content Delivery Network. Use dig username.github.io to see the full resolution path. Note that DNS caching may cause a delay.

If you're using an A record that points to 192.30.252.153 or 192.30.252.154, you'll need to update your DNS settings for your site to be available over HTTPS or served with a Content Delivery Network. For more information, see "HTTPS errors."

This unfortunately applies to our main site

mh:~> dig learnosm.org +nostats +nocomments +nocmd

; <<>> DiG 9.10.3-P4-Ubuntu <<>> learnosm.org +nostats +nocomments +nocmd
;; global options: +cmd
;learnosm.org.                  IN      A
learnosm.org.           300     IN      A       192.30.252.153

Whoever administers our domain must first change this setting. @smit1678 can you help us here?

[smit1678]

Thanks for flagging this. We should definitely update how we're managing the DNS entries for learnosm.org. One issue is that we can't point a top level domain (learnosm.org) to a github.io address with a CNAME. We will need to start using www.learnosm.org.

Here's what I propose:

• [ ] add CNAME record in DNS for www.learnosm.org to point at hotosm.github.io
• [ ] change CNAME file in repo to be www.learnosm.org
• [ ] switch on https for the repo
• [ ] update TLD learnosm.org to point at an S3 bucket that forwards all traffic to https://www.learnosm.org

[michael63-osm]

Hi,

I am not sure, do we need a CNAME record in DNS at all or does the A record for learnosm.org suffice? At least it works right now and according to https://help.github.com/articles/setting-up-an-apex-domain/ it is not required by GitHub.

Once the DNS change is operative the learnosm.org custom domain needs to be removed and re-added to the repository so that the build system is triggered with a full rebuild. Then https should work automatically. After that we can enforce using https in our repository configuration.

[smit1678]

If you want to just keep learnosm.org as the main URL, then let's try it. It looks like they've recently updated how they're doing https including enabling it on TLDs. Previously you couldn't get https without using a subdomain. We recently just did this for hotosm.org. I will try to see if we can do an ALIAS record instead of A records so they don't have to be updated by us in the future.

We'll still need to set up a domain forwarding from www.learnosm.org to learnosm.org (it looks like that url is out there and I'm not sure how that will get routed after the switch and https enforcement).

[smit1678]

Ok ALIAS records to external URLs not supported in Route53 on AWS so I pointed the A records to the multiple IP addresses. I also reset the custom domain on Github and forced https. Everything seems to be working correctly.

I also correctly set up fowarding for the www.learnosm.org subdomain and it now forwards to https://learnosm.org.

We're getting mixed content warnings on the page now and it looks like we're loading http resources, will make a separate ticket for that.