Serving HTTPS traffic using Fastly-managed certificates

This guide describes how to use Fastly TLS to enable HTTPS for a domain using a certificate managed by Fastly. Fastly-managed certificates use the ACME protocol to procure and renew TLS certificates from Let’s Encrypt, a non-profit certification authority, and GlobalSign, a commercial certification authority.

To serve secure traffic from Fastly using HTTPS, a website or application needs to provide clients with a valid TLS certificate signed by a trusted certification authority. TLS (Transport Level Security) and its predecessor SSL (Secure Sockets Layer) are the protocols that allow clients to form secure server connections so traffic can be served over HTTPS.

Before you begin

To use Fastly TLS with Fastly-managed certificates, be sure you have the following prerequisites in place:

  • a paid Fastly user account (not a developer’s trial) assigned the role of superuser or assigned a user role with added TLS management permission
  • permission to modify the DNS records on the relevant domains that appear as SAN entries on the TLS certificate
  • the relevant domains added to a properly configured Fastly service

The Fastly TLS web interface is compatible with certificates that have been uploaded as part of the Customer-Provided TLS Certificate Hosting Service with the following limitations:

  • If you replace previously uploaded certificates, you can continue to use the Customer-Provided TLS Certificate Hosting Service with no changes to your bill.
  • Removing a previously uploaded certificate from the Customer-Provided TLS Certificate Hosting Service and uploading a new one using Fastly TLS will result in the new certificate being counted in your bill for Fastly TLS. The old certificate will continue to be billed per any contracted term for the Customer-Provided TLS Certificate Hosting Service.

For information on migrating certificates from the Customer-Provided TLS Certificate Hosting Service to Fastly TLS, contact support@fastly.com.

In addition to these prerequisites, be sure you understand the following limitations:

  • Fastly TLS comes with a 50 certificate limit. To discuss how to raise this product’s certificate limit, contact sales@fastly.com.
  • Fastly managed certificates require clients to support TLS v1.2 and Server Name Indication (SNI) by default. To discuss how you can use settings other than these defaults, contact sales@fastly.com. The ability to use custom settings may require you to use a dedicated Fastly IP address pool, which must be purchased separately.
  • Fastly TLS does not support the Triple DES (3des) cipher suite.

Setting up TLS for a domain

Setting up TLS for a domain requires you to "secure" the domain by registering it with a certification authority. To start this process through Fastly’s web interface (instead of programmatically) follow these steps.

  1. Log in to the Fastly web interface and click the Configure link.
  2. Click the HTTPS and network tab. The TLS domains page appears, displaying any domains for which you have TLS either enabled or for which TLS can be enabled. If you've not yet started setting up TLS on any of your domains, this page appears empty.
  3. Click the Secure another domain button.
  4. From the selection menu that appears, select Use certificates Fastly obtains for you. The Enter subscription details page appears.

    the Enter subscription details that appears by default when you attempt to secure another domain

  5. In the Domain field, enter one or more apex domains (e.g., example.com), subdomains (e.g., www.example.com or api.example.com), or a wildcard domain (e.g., *.example.com) and click the Add button. Domains you add appear in the Common name area of the page.

    If you only have one domain, the common name will be the same as the domain name. If you add more than one domain, they will appear in a menu. By default, the first domain you add will be selected for you. Select another domain from the Common name menu if that's not the one you want.

    the Enter subscription details that appears by default when you attempt to secure multiple other domains

  6. From the Select a certification authority controls, choose one of the certification authorities to secure your certificate. Prices vary between certification authorities, sometimes significantly. Be sure to review the details about these differences on our pricing page.

  7. Optionally, if you have access to multiple Fastly IP addresses or have multiple Fastly CNAME records created with different networking or TLS configurations, then from the Enable on menu in the Select a TLS configuration area, select which TLS configuration to apply. This option defines both the IPs that the certificate will be deployed to and the associated TLS settings that will be applied.
  8. Click Submit. The Subscription details page appears displaying your domains along with detailed steps on how to verify you own them.

Verifying domain ownership

To begin serving HTTPS traffic, Fastly needs to verify that you control any domain you’ve added to the web interface. Fastly allows you to verify apex domains and subdomains via the ACME DNS challenge, the ACME HTTP challenge, or via email validation. Each requires you to make specific DNS changes. Wildcard domains require the DNS challenge or email validation challenge type.

Using the ACME DNS challenge to verify domain ownership

The default method for verifying you control a domain being added to a Fastly managed TLS certificate uses the ACME DNS challenge type. It’s suitable for all kinds of domains (apex, subdomains, and wildcards). It will only point the _acme-challenge subdomain at Fastly, allowing you to set up TLS first, before pointing production traffic at Fastly.

the cname to use for the acme dns challenge when verifying domain ownership

To use this verification method, create a CNAME record with a unique target for your domain. The formats for the record and target appear in the What’s next notification above your domain’s name in the list of TLS domains.

The steps to create the CNAME record will vary depending on your DNS provider's control panel interfaces. Refer to your DNS provider's documentation for exact instructions on how to do this. Your CNAME record must use the format _acme-challenge.DOMAIN_NAME (e.g., _acme-challenge.www.example.com) and must be pointed to a unique target for your domain (e.g., domain_token.fastly-validations.com). Once you’ve pointed your DNS records at Fastly, we encourage you to keep the _acme-challenge subdomain CNAME in place to avoid interruptions in service.

Using the ACME HTTP challenge to verify domain ownership

Another method for verifying you control a domain uses the ACME HTTP challenge. This method is only suitable for apex domains and subdomains (wildcard domains can only be verified using DNS or email challenges). It will point production traffic immediately at Fastly.

To use this verification method, click the Alternative domain verification method(s) link in the What’s next notification above your domain’s name in the list of TLS domains. A verification options window appears asking you to choose the verification alternative that suits your needs for the ACME HTTP challenge:

  • for a subdomain, create a CNAME record that points directly to the Fastly hostname
  • for an apex domain, create A records for the domain with the noted IP addresses

Once set up using either alternative, production traffic will immediately begin flowing through Fastly.

Using an email challenge to verify domain ownership

Domain control can also be verified via email when you've chosen GlobalSign as your certification authority. (Let's Encrypt does not support email challenges for domain verification.) To use this verification method, follow the steps below.

  1. Log in to the Fastly web interface and click the Configure link.
  2. Click the HTTPS and network tab. The TLS domains page appears, displaying any domains for which you have TLS either enabled or for which TLS can be enabled.
  3. Click the TLS subscriptions tab.
  4. Click the Alternative domain verification method(s) link. The verify domain ownership page appears.
  5. From the Email validation menu, select the email address you want email verification sent to. When selected as the certification authority, GlobalSign will provide Fastly with a list of acceptable email addresses to which a verification email can be sent. Generally, the list will include email addresses like the following:

    • admin@example.com
    • administrator@example.com
    • hostmaster@example.com
    • postmaster@example.com
    • webmaster@example.com
  6. Click the Get verification email button.

Fastly will then instruct GlobalSign to send a verification email to the address you specify. It will contain a link that you must click to complete the domain ownership verification process.

What happens next

It should take no more than an hour for the TLS enablement process to progress through all of the TLS statuses shown below:

TLS Status Description
Checking domain DNS records…
Step 1 of 3
Domain validation is in progress. Fastly is checking domain DNS records to verify that you control the domain being added to a certificate. To advance to the next enablement state, you must verify control of the domain by updating that domain’s DNS records to complete one of the ACME challenge types.
Certificate requested. Waiting for response from CA…
Step 2 of 3
Domain validation has been confirmed. Fastly has verified you control the domain and has requested a TLS certificate for it from the certification authority.
TLS enabled (certificate being deployed globally) The certification authority has issued a TLS certificate. Newly issued certificates can take between 20 minutes to an hour to fully deploy across Fastly’s global network.

Troubleshooting

If more than an hour has passed and TLS enablement appears to be stalled in one of the stages of adding a domain, there is likely an issue.

Domains stuck in the Checking domain DNS records state

If the domain is stuck in the Checking domain DNS records state, it is likely that you have not configured your DNS records correctly in order to verify domain ownership. You can check the DNS records yourself using a dig command in a command line application as follows:

ACME challenge type Command to type
HTTP dig www.example.com +short
DNS dig _acme-challenge.www.example.com +short

Be sure to replace example.com with hostname you used when you configured your DNS records.

If you have correctly configured your DNS records, the result from this command will include one of the CNAME or A Records required for verification as defined in the Verifying domain ownership instructions.

If you recently added or modified DNS records, you may need to wait up to 72 hours for your DNS changes to propagate across the internet. If you don’t see these addresses within that time period, you may have misconfigured your DNS records.

If you are still having issues, there may be a Certification Authority Authorization (CAA) record on your domain that is blocking the certification authority from issuing certificates. This CAA record is used to specify which certification authorities (CAs) are allowed to issue certificates for a domain. If a CAA record exists, you may need to remove this record in order to use a managed Fastly TLS certificate.

Domains stuck in the Certificate requested state

If the domain is stuck in the Waiting for a response from CA state, this is likely a temporary issue with the certification authority. Be sure to allow up to an hour in this state before contacting support@fastly.com for assistance. If this is a new certificate request, you can also try deleting the domain and starting again.

TLS enabled but certificate not deployed everywhere

If the domain displays the TLS enabled state but the certificate doesn’t appear to be available everywhere, the certificate is likely still in the process of being deployed throughout the Fastly network. It can take anywhere from 20 minutes to an hour for certificates to fully deploy. Be sure to allow up to an hour in this state before contacting support@fastly.com for assistance.

Pointing DNS to serve HTTPS traffic

To serve secure traffic via HTTPS once the certificate is deployed, follow these steps.

the domain details shown by clicking more details when tls traffic hasn't started flowing yet

  1. Ensure that the domains you've added via the TLS domains interface have been added to a properly configured Fastly service.
  2. Configure your DNS records to point traffic at the newly created certificate’s IP addresses. All DNS details (CNAME, A records, and optionally AAAA records) can be found by clicking More details to view the TLS configuration associated with the domain. If you used the HTTP challenge method to verify domain ownership, you’re already pointing traffic at the certificate.

Your domains and certificates can be set to use one or more TLS configurations. For more information, refer to the details on managing DNS and TLS configurations.

Managing TLS subscriptions

You can use the TLS subscriptions page to add or remove domains on the subscription or change the common name. To manage your TLS subscriptions, follow these steps.

  1. Log in to the Fastly web interface and click the Configure link.
  2. Click the HTTPS and network tab. The TLS domains page appears, displaying any domains for which you have TLS enabled or for which TLS can be enabled.
  3. Click the TLS subscriptions tab. The TLS subscriptions page appears, displaying your subscriptions and their state.
  4. Click the View subscription details link for the subscription you want to make changes to. The Subscription details page appears.

    the view subscription details link shown at the bottom of a subscription card

  5. Click the Manage Subscription button. The Manage Subscription details page appears.

  6. From the Manage Subscription details page, you can do the following:

    the manage subscription details page

    • Add new domains: In the Domain field, enter one or more apex domains (e.g., example.com), subdomains (e.g., www.example.com or api.example.com), or a wildcard domain (e.g., *.example.com) and click the Add button. Separate multiple domains with a comma.
    • Remove existing domains: Click the trash can icon in the Actions column on the same line as the domain you want to delete. Follow the instructions in the confirmation window to complete the deletion.
    • Change the subscription common name: From the Common name menu, select the domain used to represent this subscription.
  7. After making any changes to the subscription, click Submit. A message appears asking to confirm your changes.
  8. Click Confirm changes to submit your changes. To return to the previous screen, click No, review changes.

Disabling TLS and deleting a TLS domain

Once a domain has TLS enabled, you have the option to disable TLS via the Disable TLS link listed on the TLS domains page. Once disabled, Fastly will no longer serve TLS traffic on the selected domain. Fastly will attempt to renew a certificate for a disabled domain. To prevent this renewal process, you must delete the domain after you disable it. Fastly will not renew certificates for deleted domains.

Certificate management and renewals

Fastly currently works with two certification authorities, each with separate verification and renewal time frames that Fastly follows when managing your certificates:

  • Let's Encrypt renewals. Let’s Encrypt issues certificates that are valid for 90 days. Fastly will attempt to re-verify your domain and renew your certificate after 60 days. However, if DNS records no longer point at Fastly or if a CAA record blocks Let's Encrypt, the certificate will lapse at the end of the 90-day period.

  • GlobalSign renewals. GlobalSign issues certificates that are valid for 365 days. Fastly will attempt to re-verify your domain and renew your certificate after 335 days. However, if DNS records no longer point at Fastly, or if a CAA record blocks GlobalSign, the certificate will lapse at the end of the 365-day period. Certificates provided by GlobalSign are subject to the terms of GlobalSign's Subscriber Agreement, which can be found at https://www.globalsign.com/repository.

Fastly checks on Let's Encrypt renewals 30 days before certificates are due to expire and GlobalSign renewals 90 to 120 days before certificates are due to expire. If a DNS check indicates that a renewal is failing, Fastly will automatically email all account users with TLS management permissions, notifying them of the upcoming expiration. If the renewal continues to fail, Fastly will continue to email users on the account on a schedule up until the expiry date.

In addition, you must verify domain ownership as part of the management process. If you have the correct DNS records for verifying domain ownership and there is no blocking CAA record, but you are still receiving renewal failure emails, contact support@fastly.com for assistance.

Back to Top