TLS (Transport Layer Security), which replaced SSL, is enabled and configured with a self-signed certificate when GitHub Enterprise is started for the first time. As self-signed certificates are not trusted by web browsers and Git clients, these clients will report certificate warnings until you disable TLS or upload a certificate signed by a trusted authority, such as Let's Encrypt.

To allow users to use FIDO U2F authentication, you must enable TLS for your instance.

To use TLS in production, you must have a certificate in an unencrypted PEM format signed by a trusted certificate authority. Your certificate will also need Subject Alternative Names (SANs) configured for the subdomains listed above and will need to include the full certificate chain if it has been signed by an intermediate certificate authority.

The GitHub Enterprise appliance will send HTTP Strict Transport Security (HSTS) headers when SSL is enabled. Disabling TLS will cause users to lose access to the appliance, because their browsers will not allow a protocol downgrade to HTTP.

Warning: Terminating TLS at a load balancer is not supported. When using TLS (which is recommended), HTTPS traffic must be forwarded directly to the appliance without modification.

For more information on setting up TLS, see "Configuring TLS."

About Let's Encrypt support

Let's Encrypt is a public certificate authority (CA) that issues free, automated TLS certificates that are trusted by browsers using the ACME protocol. You can automatically obtain and renew Let's Encrypt certificates on your appliance without any required manual maintenance.

To use Let's Encrypt automation, your appliance must be configured with a hostname that is publicly accessible over HTTP. The appliance must also be allowed to make outbound HTTPS connections.

When you enable automation of TLS certificate management using Let's Encrypt, the GitHub Enterprise appliance will contact the Let's Encrypt servers to obtain a certificate. To renew a certificate, Let's Encrypt servers must validate control of the configured domain name with inbound HTTP requests.

For more information see "Configuring TLS using Let's Encrypt."

You can also use the ghe-ssl-acme command line utility on your GitHub Enterprise appliance to automatically generate a Let's Encrypt certificate. For more information, see "ghe-ssl-acme."