LOG IN SIGN UP
Documentation

TLS origin configuration messages

When you are connecting to origins over TLS, you may have errors.

Hostname mismatches

Why the error appears

Your origin server is serving a TLS certificate with a Common Name (CN) or list of Subject Alternate Names (SAN) that does not match the origin host or the origin's SSL hostname setting.

How to fix it

You can fix this by telling Fastly what to match against in the CN or SAN field in your origin's certificate.

  1. Log in to the Fastly web interface and click the Configure link.
  2. From the service menu, select the appropriate service.
  3. Click the Edit configuration button and then select Clone active.
  4. Click the Origins tab. The Origins page appears.
  5. Click the TLS Options link next to the affected host. The TLS Options page appears.
  6. In the Certificate Hostname field, type the hostname associated with your TLS certificate. This value is matched against the certificate common name (CN) or a subject alternate name (SAN) depending on the certificate you were issued. For example, if your certificate's CN field is www.example.com, type that value for your hostname. If you leave this field blank, the system will use the default host information displayed below this field.
  7. Click the Save button. Even if you leave the Certificate Hostname field blank to use the default information, you must click the Save button to verify the certificate.
  8. Activate a new version of the service to complete the configuration changes.

When using custom VCL, you can specify the hostname to match against the certificate by using the .ssl_cert_hostname field of your origin's definition. For example: .ssl_cert_hostname = www.example.com;.

Certificate chain mismatches

Why the errors appear

Your origin server is serving a certificate chain that can not be validated using any of the Certificate Authorities (CAs) that Fastly knows. This can happen for two reasons:

How to fix them

In both cases, you can fix your configuration by adding the CA certificate that Fastly should use to verify the certificate to your service configuration:

  1. Log in to the Fastly web interface and click the Configure link.
  2. From the service menu, select the appropriate service.
  3. Click the Edit configuration button and then select Clone active.
  4. Click the Origins tab. The Origins page appears.
  5. Click the TLS Options link next to the affected host. The TLS Options page appears.
  6. In the TLS CA certificate field, copy and paste a PEM-formated CA certificate.
  7. Click the Save button.
  8. Activate a new version of the service to complete the configuration changes.

If you are using custom VCL, you can specify the CA for Fastly to use by setting the .ssl_ca_cert backend parameter to a PEM encoded CA certificate.

Alternatively, you can get a new certificate issued by a CA in Fastly's CA certificate bundle (e.g., Globalsign).

Connection failures

Why each error appears and how to fix it

For Gethostbyname failures, the configured backend Host domain is returning NXDOMAIN. Double check that the DNS settings for your backend are correct.

For Connection time out failures, the connection to your server is timing out. Double check that your backend is accessible and responding in a timely fashion.

For Connection refused failures, the connection to your server is being refused, potentially by a firewall or network ACL. Double check that you have whitelisted the Fastly IP addresses and that your backend is accessible from our network.

Certificate expirations

Error: Certificate has expired

The certificate your backend server is presenting Fastly has expired and needs to be reissued with an updated validity period.

If this is a self-signed certificate you can perform this update on your own by issuing a new CSR with your private key, creating the corresponding certificate, and installing it on the server.

If this is a CA signed certificate you will need to issue a new CSR with your private key, submit it to your CA, and install the signed certificate they provide you.

SSL and old TLS protocol errors

Why the errors appear

Either your origin server is not configured to use TLS or it only supports older, outdated versions of the protocol. We do not support SSLv2 or SSLv3.

How to fix them

If the origin server is configured to use TLS, make sure you are using the latest version of both the server and the TLS library (e.g., OpenSSL). You may have to explicitly enable a newer protocol version. Fastly supports TLSv1, TLSv1.1 and TLSv1.2.

If the origin server is not configured to use TLS, change your service configuration to disable TLS and communicate with it on port 80 instead of port 443:

  1. Log in to the Fastly web interface and click the Configure link.
  2. From the service menu, select the appropriate service.
  3. Click the Edit configuration button and then select Clone active.
  4. Click the Origins tab. The Origins page appears.
  5. Click the TLS Options link next to the affected host. The TLS Options window appears.
  6. From the Connect to backend using TLS menu, select No.
  7. Click the Save button.
  8. Activate a new version of the service to complete the configuration changes.

RC4 cipher error

Why the error appears

When Fastly connects to your origin server using TLS, the only cipher suite your server supports for establishing a connection is the RC4 cipher. This cipher is considered to be unsafe for general use and should be deprecated.

How to fix it

You can fix this on your origin by using the latest version of both the server and the TLS library (e.g., OpenSSL) and ensuring the cipher suites offered are tuned to best practices. You may need to explicitly blacklist the RC4 cipher.


Back to Top