Request Fastly TLS certificate
When transitioning HTTPS domains, these are the steps to request a TLS certificate from Fastly.
Use the 2nd line account to login to Fastly.
Go to Configure > Switch services
Select “Production Bouncer” and search for the domain
Note: If domain is not listed you may need to re-run CDN: deploy Bouncer configs Jenkins job.
- Go to HTTPS and network > Secure another domain
- Enter the domain name you want TLS certificate to be created. Select a corresponding TLS configuration:
gds_bouncer - for any domain name which resolves to:
- bouncer-cdn.production.govuk.service.gov.uk - bouncer.gds.map.fastly.net - 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206
govuk - for any domain name which resolves to:
- backend.production.alphagov.co.uk - redirector-cdn.production.govuk.service.gov.uk - redirector-cdn-ssl-businesslink.production.govuk.service.gov.uk - redirector-cdn-ssl-directgov.production.govuk.service.gov.uk - redirector-cdn-ssl-events-businesslink.production.govuk.service.gov.uk - www-cdn.production.govuk.service.gov.uk - www-gov-uk.map.fastly.net - 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199
At this point, a unique domain ownership validation record (
_acme-challenge) is generated by Fastly.
ACME DNS validation method (with “_acme-challenge” record) should be used for all HSTS protected domains (e.g. find-coronavirus-support.service.gov.uk, *.service.gov.uk) and domains currently available over the HTTPS. This is to allow GOV.UK team to test and prevent service going offline during the certificate creation process (as per a warning in Fastly documentation).
Note: for domain names which already resolve to Fastly IPs/CNAME and do not have services available over the HTTPS you can select “Alternative domain verification method”. This option automatically verifies domain ownership using ACME HTTP method.
- After domain ownership is confirmed the certificate should be enabled.