Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Purging
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    Serving HTTPS traffic using Fastly-managed certificates

      Last updated November 20, 2019

    This guide describes how to use Fastly TLS to enable HTTPS for a domain using a certificate managed by Fastly. Fastly-managed certificates use the ACME protocol to procure and renew TLS certificates from Let’s Encrypt.

    To serve secure traffic from Fastly using HTTPS, a website or application needs to provide clients with a valid TLS certificate signed by a trusted certification authority. TLS (Transport Level Security) and its predecessor SSL (Secure Sockets Layer) are the protocols that allow clients to form secure server connections so traffic can be served over HTTPS.

    Before you begin

    To use Fastly TLS with Fastly-managed certificates, be sure you have the following prerequisites in place:

    The Fastly TLS web interface is compatible with certificates that have been uploaded as part of the Customer-Provided TLS Certificate Hosting Service with the following limitations:

    For information on migrating certificates from the Customer-Provided TLS Certificate Hosting Service to Fastly TLS, contact support@fastly.com.

    In addition to these prerequisites, be sure you understand the following limitations:

    Setting up TLS for a domain

    To set up TLS for an HTTPS domain, follow the steps below.

    1. Log in to the Fastly web interface and click the Configure link.
    2. Click the HTTPS and network tab. The TLS domains page appears, displaying any domains for which you have TLS either enabled or for which TLS can be enabled. If you've not yet started setting up TLS on any of your domains, this page appears empty.
    3. Click the Add HTTPS to your domains button. The Enter domain window appears.

      the enter domain window that appears when you click the add https to your domains button on the https and network tab

    4. If you have your own TLS certificates and private keys, click the I want to bring my own certificate and private key link, and follow the guide to uploading and deploying your own certificates instead of this one.
    5. In the Domain name field, enter an apex domain (e.g., example.com), a subdomain (e.g., www.example.com or api.example.com), or a wildcard domain (e.g., *.example.com).
    6. Optionally, if you have access to multiple Fastly IP addresses or have multiple Fastly CNAME records created with different networking or TLS configurations, then from the TLS configuration menu, select which TLS configuration to apply. This option defines both the IPs that the certificate will be deployed to and the associated TLS settings that will be applied.
    7. Click the Add domain button. The TLS domains page appears with a series of cards displayed, each listing a single domain, including the domain you just added along with any other domains and their current TLS and certificate statuses.

    Verifying domain ownership

    To begin serving HTTPS traffic, Fastly needs to verify that you control any domain you’ve added to the web interface. Fastly offers two options to verify apex domains and subdomains: the ACME DNS challenge type and the ACME HTTP challenge type. Each requires you to make specific DNS changes. Wildcard domains require the DNS challenge type.

    Using the ACME DNS challenge to verify domain ownership

    The default method for verifying you control a domain being added to a Fastly managed TLS certificate uses the ACME DNS challenge type. It’s suitable for all kinds of domains (apex, subdomains, and wildcards). It will only point the _acme-challenge subdomain at Fastly, allowing you to set up TLS first, before pointing production traffic at Fastly.

    the cname to use for the acme dns challenge when verifying domain ownership

    To use this verification method, create a CNAME record with a unique target for your domain. The formats for the record and target appear in the What’s next notification above your domain’s name in the list of TLS domains.

    The steps to create the CNAME record will vary depending on your DNS provider's control panel interfaces. Refer to your DNS provider's documentation for exact instructions on how to do this. Your CNAME record must use the format _acme-challenge.DOMAIN_NAME (e.g., _acme-challenge.www.example.com) and must be pointed to a unique target for your domain (e.g., domain_token.fastly-validations.com). Once you’ve pointed your DNS records at Fastly, we encourage you to keep the _acme-challenge subdomain CNAME in place to avoid interruptions in service.

    Using the ACME HTTP challenge to verify domain ownership

    An alternative method for verifying you control a domain uses the ACME HTTP challenge. This method is only suitable for apex domains and subdomains (wildcard domains can only be verified using the DNS challenge). It will point production traffic immediately at Fastly.

    To use this verification method, click the Alternative domain verification method(s) link in the What’s next notification above your domain’s name in the list of TLS domains. A verification options window appears:

    the alternative domain verification methods that appear when you click the associated link in the what's next notification above your domain's name in the list of tls domains

    Choose the verification alternative that suits your needs:

    In both cases, once set up, production traffic will immediately begin flowing through Fastly.

    What happens next

    It should take no more than an hour for the TLS enablement process to progress through all of the TLS statuses shown below:

    TLS Status Description
    Checking domain DNS records…
    Step 1 of 3
    Domain validation is in progress. Fastly is checking domain DNS records to verify that you control the domain being added to a certificate. To advance to the next enablement state, you must verify control by updating your domain’s DNS records to complete one of the ACME challenge types.
    Certificate requested. Waiting for response from CA…
    Step 2 of 3
    Domain validation has been confirmed. Fastly believes the DNS records correctly point at Fastly and a certificate has been requested from the Certification Authority.
    TLS enabled (certificate being deployed globally) The Certification Authority has issued a TLS certificate. Newly issued certificates can take between 20 minutes to an hour to fully deploy across Fastly’s global network.

    Troubleshooting

    If more than an hour has passed and TLS enablement appears to be stalled in one of the stages of adding a domain, there is likely an issue.

    Domains stuck in the Checking domain DNS records state

    If the domain is stuck in the Checking domain DNS records state, it is likely that you have not configured your DNS records correctly in order to verify domain ownership. You can check the DNS records yourself using a dig command in a command line application as follows:

    ACME challenge type Command to type
    HTTP dig www.example.com +short
    DNS dig _acme-challenge.www.example.com +short

    Be sure to replace example.com with hostname you used when you configured your DNS records.

    If you have correctly configured your DNS records, the result from this command will include one of the CNAME or A Records required for verification as defined in the Verifying domain ownership instructions.

    If you recently added or modified DNS records, you may need to wait up to 72 hours for your DNS changes to propagate across the internet. If you don’t see these addresses within that time period, you may have misconfigured your DNS records.

    If you are still having issues, there may be a CAA record on your domain that is blocking the certification authority from issuing certificates. This Certification Authority Authorization (CAA) record is used to specify which Certification Authorities (CAs) are allowed to issue certificates for a domain. If a CAA record exists, you may need to remove this record in order to use a managed Fastly TLS certificate.

    Domains stuck in the Certificate requested state

    If the domain is stuck in the Waiting for a response from CA state, this is likely a temporary issue with the Certification Authority. Be sure to allow up to an hour in this state before contacting support@fastly.com for assistance. If this is a new certificate request, you can also try deleting the domain and starting again.

    TLS enabled but certificate not deployed everywhere

    If the domain displays the TLS enabled state but the certificate doesn’t appear to be available everywhere, the certificate is likely still in the process of being deployed throughout the Fastly network. It can take anywhere from 20 minutes to an hour for certificates to fully deploy. Be sure to allow up to an hour in this state before contacting support@fastly.com for assistance.

    Pointing DNS to serve HTTPS traffic

    To serve secure traffic via HTTPS once the certificate is deployed, follow these steps.

    the domain details shown by clicking more details when tls traffic hasn't started flowing yet

    1. Ensure that the domains you've added via the TLS domains interface have been added to a properly configured Fastly service.
    2. Configure your DNS records to point traffic at the newly created certificate’s IP addresses. All DNS details (CNAME, A records, and optionally AAAA records) can be found by clicking More details to view the TLS configuration associated with the domain. If you used the HTTP challenge method to verify domain ownership, you’re already pointing traffic at the certificate.

    If you have custom network maps or multiple, dedicated IPs, your domains and certificates can be set to use one or more TLS configurations. For more information, refer to the details on managing DNS and TLS configurations.

    Disabling TLS and deleting a TLS domain

    Once a domain has TLS enabled, you have the option to disable TLS via the Disable TLS link listed on the TLS domains page. Once disabled, Fastly will no longer serve TLS traffic on the selected domain. Fastly will attempt to renew a certificate for a disabled domain. To prevent this renewal process, you must delete the domain after you disable it. Fastly will not renew certificates for deleted domains.

    Certificate management and renewals

    Let’s Encrypt issues certificates that are valid for 90 days. Fastly will attempt to re-verify your domain and renew your certificate after 60 days. However, if DNS records no longer point at Fastly, or if a CAA record blocks Let's Encrypt, the certificate will lapse at the end of the 90-day period.

    Thirty days before it is due to expire, Fastly will automatically email all account users with TLS management permissions, notifying them of the upcoming expiration. If the renewal continues to fail, Fastly will continue to email users on the account on a schedule up until the expiry date.

    If you have the correct DNS records for verifying domain ownership, and there is no blocking CAA record, but you are still receiving renewal failure emails, contact support@fastly.com.

    Migrating domains from shared certificates to Fastly-managed certificates

    To migrate a domain on Fastly’s shared certificates over to the Fastly TLS product, start by following the Setting up TLS for a domain instructions. Be sure to use the ACME DNS challenge using the _acme-challenge subdomain for verification, to keep production traffic pointing at the shared certificate.

    Once your domain enters the TLS enabled state, wait at least 10 minutes and then verify that the certificate is globally deployed before changing over your DNS records to point away from the active shared certificate. You can do this using the following command in a command line application:

    1
    
    openssl s_client -connect TLS.CONFIG.CNAME.RECORD:443 -servername your.domain.com  | openssl x509 -noout -text | grep 'Subject: CN'
    

    If the result includes your TLS hostname, this means that Fastly has successfully generated and deployed a managed certificate to our network, and it is safe to update your DNS records with your DNS provider.

    If you are currently using a shared certificate with a wildcard or subdomain, your CNAME record will likely end in shared.global.fastly.net. For apex domains, you will likely be using four A records. Provided the certificate is present on our network, you can now use the DNS records outlined in the Pointing DNS to serve HTTPS traffic instructions to point your domain to your new certificate, and away from the shared certificate.

    After changing the DNS records for the domain with your DNS provider, check to see if the changes have propagated to a local DNS resolver by using the following command:

    1
    
    dig your.domain.com +short
    

    As soon as your DNS information has been updated worldwide, visit your domain in a browser and check to see which certificate is served. Once you confirm that the new certificate is being served across clients, follow the instructions for deleting a TLS domain to remove the domain from the shared certificate.

    Back to Top

    Additional resources: