Request Fastly TLS certificate
When transitioning HTTPS domains, these are the steps to request a TLS certificate from Fastly.
Login to Fastly. If you need access, speak to a member of the senior tech team. You will need “TLS management” permissions.
Search for “Production Bouncer”
- Select “Production Bouncer”, and then click “Service configuration”. Search for the domain.
Note: If the domain is not listed, you may need to re-run CDN: deploy Bouncer configs Jenkins job.
- Once you have completed the previous step to confirm that your domain is listed, click on “Secure” in the main header. Click the button + Secure another domain, and select “Use certificates Fastly obtains for you”.
- Enter the domain name(s) that you want a TLS certificate to be created for. Select Let’s encrypt as the certification authority. And select one of the following two TLS configurations. To decide, you need to know where your domain resolves to. A quick way to find out is:
dig <your-domain-name> +short
gds_bouncer - for any domain name which resolves to:
- bouncer-cdn.production.govuk.service.gov.uk - bouncer.gds.map.fastly.net - 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199
govuk - for any domain name which resolves to:
- backend.production.alphagov.co.uk - redirector-cdn.production.govuk.service.gov.uk - redirector-cdn-ssl-businesslink.production.govuk.service.gov.uk - redirector-cdn-ssl-directgov.production.govuk.service.gov.uk - redirector-cdn-ssl-events-businesslink.production.govuk.service.gov.uk - www-cdn.production.govuk.service.gov.uk - www-gov-uk.map.fastly.net - 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
At this point, a unique domain ownership validation record (
_acme-challenge) is generated by Fastly.
ACME DNS validation method (with “_acme-challenge” record) should be used for all HSTS protected domains (e.g. find-coronavirus-support.service.gov.uk, *.service.gov.uk) and domains currently available over the HTTPS. This is to allow GOV.UK team to test and prevent service going offline during the certificate creation process (as per a warning in Fastly documentation).
Note: for domain names which already resolve to Fastly IPs/CNAME and do not have services available over the HTTPS you can select “Alternative domain verification method”. This option automatically verifies domain ownership using ACME HTTP method.
- After domain ownership is confirmed the certificate should be enabled.