Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    TLS origin configuration messages

      Last updated August 09, 2018

    When you are connecting to origins over TLS, you may have errors.

    Hostname mismatches

    Why the error appears

    Your origin server is serving a TLS certificate with a Common Name (CN) or list of Subject Alternate Names (SAN) that does not match the origin host or the origin's SSL hostname setting.

    How to fix it

    You can fix this by telling Fastly what to match against in the CN or SAN field in your origin's certificate.

    1. Log in to the Fastly web interface and click the Configure link.
    2. From the service menu, select the appropriate service.
    3. Click the Configuration button and then select Clone active. The Domains page appears.
    4. Click the Origins link. The Origins page appears.
    5. Click the pencil icon to edit the affected host. The Edit this host page appears.
    6. In the Certificate Hostname field, type the hostname associated with your TLS certificate. This value is matched against the certificate common name (CN) or a subject alternate name (SAN) depending on the certificate you were issued. For example, if your certificate's CN field is www.example.com, type that value for your hostname.
    7. Click the Update button.
    8. Click the Activate button to deploy your configuration changes.

    When using custom VCL, you can specify the hostname to match against the certificate by using the .ssl_cert_hostname field of your origin's definition. For example: .ssl_cert_hostname = www.example.com;.

    Certificate chain mismatches

    Why the errors appear

    Your origin server is serving a certificate chain that can not be validated using any of the Certificate Authorities (CAs) that Fastly knows. This can happen for two reasons:

    How to fix them

    In both cases, you can fix your configuration by adding the CA certificate that Fastly should use to verify the certificate to your service configuration:

    1. Log in to the Fastly web interface and click the Configure link.
    2. From the service menu, select the appropriate service.
    3. Click the Configuration button and then select Clone active. The Domains page appears.
    4. Click the Origins link. The Origins page appears.
    5. Click the pencil icon to edit the affected host. The Edit this host page appears.
    6. In the TLS CA certificate field, copy and paste a PEM-formated CA certificate.
    7. Click the Update button.
    8. Click the Activate button to deploy your configuration changes.

    If you are using custom VCL, you can specify the CA for Fastly to use by setting the .ssl_ca_cert backend parameter to a PEM encoded CA certificate.

    Alternatively, you can get a new certificate issued by a CA in Fastly's CA certificate bundle (e.g., Globalsign).

    Connection failures

    Why each error appears and how to fix it

    For Gethostbyname failures, the configured backend Host domain is returning NXDOMAIN. Double check that the DNS settings for your backend are correct.

    For Connection time out failures, the connection to your server is timing out. Double check that your backend is accessible and responding in a timely fashion.

    For Connection refused failures, the connection to your server is being refused, potentially by a firewall or network ACL. Double check that you have allowlisted the Fastly IP addresses and that your backend is accessible from our network.

    Certificate expirations

    Error: Certificate has expired

    Why the error appears

    The certificate your backend server is presenting Fastly has expired and needs to be reissued with an updated validity period.

    How to fix it

    If this is a self-signed certificate you can perform this update on your own by issuing a new CSR with your private key, creating the corresponding certificate, and installing it on the server.

    If this is a CA signed certificate you will need to issue a new CSR with your private key, submit it to your CA, and install the signed certificate they provide you.

    SSL and old TLS protocol errors

    Why the errors appear

    Either your origin server is not configured to use TLS or it only supports older, outdated versions of the protocol. We do not support SSLv2 or SSLv3.

    How to fix them

    If the origin server is configured to use TLS, use the following information to troubleshoot the problem:

    If the origin server is not configured to use TLS, change your service configuration to disable TLS and communicate with it on port 80 instead of port 443:

    1. Log in to the Fastly web interface and click the Configure link.
    2. From the service menu, select the appropriate service.
    3. Click the Configuration button and then select Clone active. The Domains page appears.
    4. Click the Origins link. The Origins page appears.
    5. Click the pencil icon to edit the affected host. The Edit this host page appears.
    6. From the Connect to backend using TLS menu, select No.
    7. Click the Upate button.
    8. Click the Activate button to deploy your configuration changes.

    RC4 cipher error

    Why the error appears

    When Fastly connects to your origin server using TLS, the only cipher suite your server supports for establishing a connection is the RC4 cipher. This cipher is considered to be unsafe for general use and should be deprecated.

    How to fix it

    You can fix this on your origin by using the latest version of both the server and the TLS library (e.g., OpenSSL) and ensuring the cipher suites offered are tuned to best practices. You may need to explicitly blocklist the RC4 cipher.

    Back to Top