You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
```
"https_certificate": {
"state": "bad_authz",
"description": "The ACME authorization is in a bad state. We need to start over.",
"domains": ["tools.amditis.tech"],
"expires_at": "2026-04-15"
},
"https_enforced": false
```
Diagnosis
This is cosmetic, not broken. `dig tools.amditis.tech` resolves to `104.21.60.195` / `172.67.200.125` — Cloudflare proxy IPs (not GitHub Pages IPs `185.199.108.x`). The site is fronted by Cloudflare with the orange-cloud proxy enabled.
What's actually happening:
Cloudflare terminates SSL at its edge with its universal cert (curl confirms: `server: cloudflare` in response headers, HTTPS returns 200)
HTTP requests get 301-redirected to HTTPS by Cloudflare (so HTTPS-enforcement effectively works even with `https_enforced: false` on GitHub's side)
GitHub's own Let's Encrypt issuance fails because the HTTP-01 ACME challenge expects `http://tools.amditis.tech/.well-known/acme-challenge/` to hit GitHub Pages directly — but it hits Cloudflare's edge instead, which doesn't have the challenge file
Leave as-is (recommended for a docs site): Cloudflare provides caching, DDoS protection, edge analytics, and free SSL termination. The "bad_authz" state is harmless noise.
Restore GitHub-issued cert: Gray-cloud the DNS record (DNS only, no proxy) in Cloudflare for ~10 minutes so GitHub can complete ACME validation, then re-enable proxy. Trades Cloudflare features for cleaner GitHub status.
Hybrid: Set Cloudflare SSL mode to "Full (strict)" if not already (Cloudflare → GitHub Pages connection encrypted with GH's pre-existing cert). Same practical state as Add Python Explorer to resource kit guides #1.
Recommendation
Document this in `tools/CLAUDE.md` as a known state and close. Re-open if a future tool/auditor flags GitHub's bad_authz status as a real concern.
Related
`expires_at: 2026-04-15` — that date passed silently with no user-visible breakage, confirming the GitHub cert isn't actually serving traffic.
State
`gh api repos/jamditis/tools/pages` reports:
```
"https_certificate": {
"state": "bad_authz",
"description": "The ACME authorization is in a bad state. We need to start over.",
"domains": ["tools.amditis.tech"],
"expires_at": "2026-04-15"
},
"https_enforced": false
```
Diagnosis
This is cosmetic, not broken. `dig tools.amditis.tech` resolves to `104.21.60.195` / `172.67.200.125` — Cloudflare proxy IPs (not GitHub Pages IPs `185.199.108.x`). The site is fronted by Cloudflare with the orange-cloud proxy enabled.
What's actually happening:
Practical user impact: none. HTTPS works, redirect works, Cloudflare caching/DDoS/analytics work.
Fix paths (if/when ever needed)
Recommendation
Document this in `tools/CLAUDE.md` as a known state and close. Re-open if a future tool/auditor flags GitHub's bad_authz status as a real concern.
Related