Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
When transitioning HTTPS domains, these are the steps to request a TLS certificate from Fastly.
- Loading branch information
1 parent
ae8fcb6
commit 26ded2e
Showing
6 changed files
with
62 additions
and
0 deletions.
There are no files selected for viewing
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
--- | ||
owner_slack: "#govuk-platform-health" | ||
title: Request Fastly TLS certificate | ||
section: Transition | ||
layout: manual_layout | ||
parent: "/manual.html" | ||
related_applications: [bouncer, transition] | ||
--- | ||
|
||
When transitioning HTTPS domains, these are the steps to request a TLS | ||
certificate from Fastly. | ||
|
||
1. Use the 2nd line account to login to Fastly. | ||
|
||
1. Go to Configure > Switch services | ||
|
||
1. Select “Production Bouncer” and search for the domain | ||
|
||
![Photo of the step 1](images/fastly/1.png) | ||
|
||
*Note: If domain is not listed you may need to re-run [CDN: deploy Bouncer configs](https://deploy.blue.production.govuk.digital/job/Bouncer_CDN/) Jenkins job.* | ||
|
||
1. Go to HTTPS and network > Secure another domain | ||
|
||
![Photo of the step 2](images/fastly/2.png) | ||
|
||
1. Enter the domain name you want TLS certificate to be created. Select a corresponding TLS configuration: | ||
|
||
**gds_bouncer** - for any domain name which resolves to: | ||
|
||
``` | ||
- bouncer-cdn.production.govuk.service.gov.uk | ||
- bouncer.gds.map.fastly.net | ||
- 151.101.2.30, 151.101.66.30, 151.101.130.30, 151.101.194.30 | ||
``` | ||
|
||
**govuk** - for any domain name which resolves to: | ||
|
||
``` | ||
- backend.production.alphagov.co.uk | ||
- redirector-cdn.production.govuk.service.gov.uk | ||
- redirector-cdn-ssl-businesslink.production.govuk.service.gov.uk | ||
- redirector-cdn-ssl-directgov.production.govuk.service.gov.uk | ||
- redirector-cdn-ssl-events-businesslink.production.govuk.service.gov.uk | ||
- www-cdn.production.govuk.service.gov.uk | ||
- www-gov-uk.map.fastly.net | ||
- 151.101.0.144, 151.101.64.144, 151.101.128.144, 151.101.192.144 | ||
``` | ||
|
||
![Photo of the step 3](images/fastly/3.png) | ||
|
||
1. At this point, a unique domain [ownership validation](https://docs.fastly.com/en/guides/serving-https-traffic-using-fastly-managed-certificates#verifying-domain-ownership) record (`_acme-challenge`) is generated by Fastly. | ||
|
||
1. ACME DNS validation method (with “_acme-challenge” record) should be used for all HSTS protected domains (e.g. find-coronavirus-support.service.gov.uk, *.service.gov.uk) and domains currently available over the HTTPS. This is to allow GOV.UK team to test and prevent service going offline during the certificate creation process (as per a [warning](https://docs.fastly.com/en/guides/serving-https-traffic-using-fastly-managed-certificates#using-the-acme-http-challenge-to-verify-domain-ownership) in Fastly documentation). | ||
|
||
*Note: for domain names which already resolve to Fastly IPs/CNAME and do not have services available over the HTTPS you can select “Alternative domain verification method”. This option automatically verifies domain ownership using ACME HTTP method.* | ||
|
||
![Photo of the step 4](images/fastly/4.png) | ||
|
||
1. After domain ownership is confirmed the certificate should be enabled. | ||
|
||
![Photo of the step 5](images/fastly/5.png) |