Skip to main content
Table of contents

Transition

Last updated: 5 Nov 2020

Request Fastly TLS certificate

When transitioning HTTPS domains, these are the steps to request a TLS certificate from Fastly.

  1. Use the 2nd line account to login to Fastly.

  2. Go to Configure > Switch services

  3. Select “Production Bouncer” and search for the domain

Photo of the step 1

Note: If domain is not listed you may need to re-run CDN: deploy Bouncer configs Jenkins job.

  1. Go to HTTPS and network > Secure another domain

Photo of the step 2

  1. Enter the domain name you want TLS certificate to be created. Select a corresponding TLS configuration:

gds_bouncer - for any domain name which resolves to:

- bouncer-cdn.production.govuk.service.gov.uk
- bouncer.gds.map.fastly.net
- 151.101.2.30, 151.101.66.30, 151.101.130.30, 151.101.194.30

govuk - for any domain name which resolves to:

- backend.production.alphagov.co.uk
- redirector-cdn.production.govuk.service.gov.uk
- redirector-cdn-ssl-businesslink.production.govuk.service.gov.uk
- redirector-cdn-ssl-directgov.production.govuk.service.gov.uk
- redirector-cdn-ssl-events-businesslink.production.govuk.service.gov.uk
- www-cdn.production.govuk.service.gov.uk
- www-gov-uk.map.fastly.net
- 151.101.0.144, 151.101.64.144, 151.101.128.144, 151.101.192.144

Photo of the step 3

  1. At this point, a unique domain ownership validation record (_acme-challenge) is generated by Fastly.

  2. ACME DNS validation method (with “_acme-challenge” record) should be used for all HSTS protected domains (e.g. find-coronavirus-support.service.gov.uk, *.service.gov.uk) and domains currently available over the HTTPS. This is to allow GOV.UK team to test and prevent service going offline during the certificate creation process (as per a warning in Fastly documentation).

Note: for domain names which already resolve to Fastly IPs/CNAME and do not have services available over the HTTPS you can select “Alternative domain verification method”. This option automatically verifies domain ownership using ACME HTTP method.

Photo of the step 4

  1. After domain ownership is confirmed the certificate should be enabled.

Photo of the step 5