Skip to main content
  1. Home
  2. Transition
Last updated: 1 Nov 2024

Request Fastly TLS certificate

When transitioning HTTPS domains, these are the steps to request a TLS certificate from Fastly.

  1. Login to Fastly - you will need “TLS management” permissions. A member of the senior tech team should be able to grant access through the Fastly UI (it can’t be done through govuk-user-reviewer).

  2. Search for “Production Bouncer”

    Screenshot of the Fastly website user interface on the "Home" tab. The words "Production bouncer" have been typed in the search bar, which has shown two results: Production Bouncer and Production Bouncer HTTPS.

  3. Select “Production Bouncer”, and then click “Service configuration”. Search for the domain.

    Screenshot of the Fastly website user interface on the "Service configuration" tab, which is nested under "Delivery". The word "engineering" has been typed into the search bar, which has given two results: engineering.gov.uk and www.engineering.gov.uk.

  4. Once you have completed the previous step to confirm that your domain is listed, click on “Security”, “TLS Management” then “Domains” in the toolbar on the left.

    Screenshot of the Fastly website user interface with the navigation bar on the left expanded to show "Security", "TLS Management" and then "Domains".

  5. Click the button + Secure another domain, and select “Use certificates Fastly obtains for you”.

    Screenshot of the Fastly website user interface on the "TLS management" tab which is nested under "Secure". There is a button in the top right labelled "+ Secure another domain".

  6. Enter the domain name(s) that you want a TLS certificate to be created for. Select Let’s encrypt as the certification authority. And select one of the following two TLS configurations. To decide, you need to know where your domain resolves to. A quick way to find out is:

    ping <your-domain-name>

    or

    dig <your-domain-name> +short

    bouncer.gds.map.fastly.net - for any domain name which resolves to:

    - bouncer-cdn.production.govuk.service.gov.uk
- bouncer.gds.map.fastly.net
- 151.101.2.30, 151.101.66.30, 151.101.130.30, 151.101.194.30

    www-gov-uk.map.fastly.net - for any domain name which resolves to:

    - backend.production.alphagov.co.uk
- redirector-cdn.production.govuk.service.gov.uk
- redirector-cdn-ssl-businesslink.production.govuk.service.gov.uk
- redirector-cdn-ssl-directgov.production.govuk.service.gov.uk
- redirector-cdn-ssl-events-businesslink.production.govuk.service.gov.uk
- www-cdn.production.govuk.service.gov.uk
- www-gov-uk.map.fastly.net
- 151.101.0.144, 151.101.64.144, 151.101.128.144, 151.101.192.144

    Screnshot of the Fastly website user interface on the "TLS subscriptions" tab, nested under "TLS management". A form is shown where multiple domains can be added into a text area.

    Click Submit

  7. At this point, a unique domain ownership validation record (_acme-challenge) is generated by Fastly.

  8. ACME DNS validation method (with “_acme-challenge” record) should be used for all HSTS protected domains (e.g. find-coronavirus-support.service.gov.uk, *.service.gov.uk) and domains currently available over the HTTPS. This is to allow GOV.UK team to test and prevent service going offline during the certificate creation process (as per a warning in Fastly documentation).

    Note: for domain names which already resolve to Fastly IPs/CNAME and do not have services available over the HTTPS you can select “Alternative domain verification method”. This option automatically verifies domain ownership using ACME HTTP method.

  9. After domain ownership is confirmed the certificate should be enabled.

Screenshot of the Fastly website user interface showing the TLS status is enabled for the domain find-coronavirus-support.service.gov.uk. Other information included on the screen is: certificate expiry, TLS version, HTTP protocols and details of all the DNS records for the domain.

Related repositories

More in the Transition section

Learn

How to...