LOG IN SIGN UP
Documentation

TLS origin configuration messages

Hostname mismatches

Why the error appears

Your origin server is serving a TLS certificate with a Common Name (CN) or list of Subject Alternate Names (SAN) that does not match the origin host or the origin's SSL hostname setting.

How to fix it

You can fix this by telling Fastly what to match against in the CN or SAN field in your origin's certificate.

  1. Log in to the Fastly application.
  2. Click the configure tab (the wrench at the top of the window).
  3. From the Service menu, select the appropriate service.
  4. Click the blue Configure button.
  5. Click the Hosts pane from the list on the left.
  6. Click the gear icon next to the affected host and select TLS Options. The TLS Options window appears.
  7. In the Certificate Hostname field, type the hostname (either the CN or SAN), depending on which certificate was issued for the hostname. For example, if your certificate's CN field is www.example.com, type that value for your hostname.
  8. Click Update.
  9. Activate a new version of the service to complete the configuration changes.

When using custom VCL, you can specify the hostname to match against the certificate by using the .ssl_cert_hostname field of your origin's definition. For example: .ssl_cert_hostname = www.example.com;.

Certificate chain mismatches

Why the errors appear

Your origin server is serving a certificate chain that can not be validated using any of the Certificate Authorities (CAs) that Fastly knows. This can happen for two reasons:

How to fix them

In both cases, you can fix your configuration by adding the CA certificate that Fastly should use to verify the certificate to your service configuration:

  1. Log in to the Fastly application.
  2. Click the configure tab (the wrench at the top of the window).
  3. From the Service menu, select the appropriate service.
  4. Click the blue Configure button to the right of the service name.
  5. Click the Hosts pane from the list on the left.
  6. Click the gear icon next to the affected host and select TLS Options. The TLS Options window appears.
  7. In the TLS CA Certificate field, copy and paste a PEM-formated CA certificate.
  8. Click Update.
  9. Activate a new version of the service to complete the configuration changes.

If you are using custom VCL, you can specify the CA for Fastly to use by setting the '.ssl_ca_cert' backend parameter to a PEM encoded CA certificate.

Alternatively, you can get a new certificate issued by a CA in Fastly's CA certificate bundle (e.g., Globalsign).

Connection failures

Why each error appears and how to fix it

For Gethostbyname failures, the configured backend Host domain is returning NXDOMAIN. Double check that the DNS settings for your backend are correct.

For Connection time out failures, the connection to your server is timing out. Double check that your backend is accessible and responding in a timely fashion.

For Connection refused failures, the connection to your server is being refused, potentially by a firewall or network ACL. Double check that you have whitelisted the Fastly IP addresses and that your backend is accessible from our network.

Certificate expirations

Error: Certificate has expired

The certificate your backend server is presenting Fastly has expired and needs to be reissued with an updated validity period.

If this is a self-signed certificate you can perform this update on your own by issuing a new CSR with your private key, creating the corresponding certificate, and installing it on the server.

If this is a CA signed certificate you will need to issue a new CSR with your private key, submit it to your CA, and install the signed certificate they provide you.

SSL and old TLS protocol errors

Why the errors appear

Either your origin server is not configured to use TLS or it only supports older, outdated versions of the protocol. We do not support SSLv2 or SSLv3.

How to fix them

If the origin server is configured to use TLS, make sure you are using the latest version of both the server and the TLS library (e.g., OpenSSL). You may have to explicitly enable a newer protocol version. Fastly supports TLSv1, TLSv1.1 and TLSv1.2.

If the origin server is not configured to use TLS, change your service configuration to disable TLS and communicate with it on port 80 instead of port 443:

  1. Log in to the Fastly application.
  2. Click the configure tab (the wrench at the top of the window).
  3. From the Service menu, select the appropriate service.
  4. Click the blue Configure button to the right of the service name.
  5. Click the Hosts pane from the list on the left.
  6. Click the gear icon next to the affected host and select TLS Options. The TLS Options window appears.
  7. From the TLS for Connection menu, select No.
  8. Click Update.
  9. Activate a new version of the service to complete the configuration changes.

RC4 cipher error

Why the error appears

When Fastly connects to your origin server using TLS, the only cipher suite your server supports for establishing a connection is the RC4 cipher. This cipher is considered to be unsafe for general use and should be deprecated.

How to fix it

You can fix this on your origin by using the latest version of both the server and the TLS library (e.g., OpenSSL) and ensuring the cipher suites offered are tuned to best practices. You may need to explicitly blacklist the RC4 cipher.