Add request Fastly TLS certificate

When transitioning HTTPS domains, these are the steps to request a TLS certificate from Fastly.
alphagov · Nov 6, 2020 · 26ded2e · 26ded2e
1 parent ae8fcb6
commit 26ded2e
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 0 deletions.
diff --git a/source/manual/images/fastly/1.png b/source/manual/images/fastly/1.png
diff --git a/source/manual/images/fastly/2.png b/source/manual/images/fastly/2.png
diff --git a/source/manual/images/fastly/3.png b/source/manual/images/fastly/3.png
diff --git a/source/manual/images/fastly/4.png b/source/manual/images/fastly/4.png
diff --git a/source/manual/images/fastly/5.png b/source/manual/images/fastly/5.png
diff --git a/source/manual/request-fastly-tls-certificate.html.md b/source/manual/request-fastly-tls-certificate.html.md
@@ -0,0 +1,62 @@
+---
+owner_slack: "#govuk-platform-health"
+title: Request Fastly TLS certificate
+section: Transition
+layout: manual_layout
+parent: "/manual.html"
+related_applications: [bouncer, transition]
+---
+
+When transitioning HTTPS domains, these are the steps to request a TLS
+certificate from Fastly.
+
+1. Use the 2nd line account to login to Fastly.
+
+1. Go to Configure > Switch services
+
+1. Select “Production Bouncer” and search for the domain
+
+![Photo of the step 1](images/fastly/1.png)
+
+*Note: If domain is not listed you may need to re-run [CDN: deploy Bouncer configs](https://deploy.blue.production.govuk.digital/job/Bouncer_CDN/) Jenkins job.*
+
+1. Go to HTTPS and network > Secure another domain
+
+![Photo of the step 2](images/fastly/2.png)
+
+1. Enter the domain name you want TLS certificate to be created. Select a corresponding TLS configuration:
+
+**gds_bouncer** - for any domain name which resolves to:
+
+```
+- bouncer-cdn.production.govuk.service.gov.uk
+- bouncer.gds.map.fastly.net
+- 151.101.2.30, 151.101.66.30, 151.101.130.30, 151.101.194.30
+```
+
+**govuk** - for any domain name which resolves to:
+
+```
+- backend.production.alphagov.co.uk
+- redirector-cdn.production.govuk.service.gov.uk
+- redirector-cdn-ssl-businesslink.production.govuk.service.gov.uk
+- redirector-cdn-ssl-directgov.production.govuk.service.gov.uk
+- redirector-cdn-ssl-events-businesslink.production.govuk.service.gov.uk
+- www-cdn.production.govuk.service.gov.uk
+- www-gov-uk.map.fastly.net
+- 151.101.0.144, 151.101.64.144, 151.101.128.144, 151.101.192.144
+```
+
+![Photo of the step 3](images/fastly/3.png)
+
+1. At this point, a unique domain [ownership validation](https://docs.fastly.com/en/guides/serving-https-traffic-using-fastly-managed-certificates#verifying-domain-ownership) record (`_acme-challenge`) is generated by Fastly.
+
+1. ACME DNS validation method (with “_acme-challenge” record) should be used for all HSTS protected domains (e.g. find-coronavirus-support.service.gov.uk, *.service.gov.uk) and domains currently available over the HTTPS. This is to allow GOV.UK team to test and prevent service going offline during the certificate creation process (as per a [warning](https://docs.fastly.com/en/guides/serving-https-traffic-using-fastly-managed-certificates#using-the-acme-http-challenge-to-verify-domain-ownership) in Fastly documentation).
+
+*Note: for domain names which already resolve to Fastly IPs/CNAME and do not have services available over the HTTPS  you can select “Alternative domain verification method”. This option automatically verifies domain ownership using ACME HTTP method.*
+
+![Photo of the step 4](images/fastly/4.png)
+
+1. After domain ownership is confirmed the certificate should be enabled.
+
+![Photo of the step 5](images/fastly/5.png)