_acme-challenge conflicting records

Security
1

Hi,

We would like to add the Fastly CDN in front of a website hosted on GCP Google Cloud Platform. It seems that the most compatible configuration (in certain ways) is to have the same hostname on the backend and frontend. That is, the websites themselves respond to www.example.com. The CDN is also configured to be on the domain www.example.com .

Google load balancers support “dns authorization” certificates. That involves added an _acme-challenge CNAME record in DNS. Because the IP address of the website will be pointing at a CDN instead of the load balancer, it’s not possible to use an IP address-based method.

Next step, configure Fastly. The problem is that Fastly certificates use the exact same method, and they conflict.

Warning!
Conflicting record(s) found at _acme-challenge.www.example.com. Please remove the record(s) and add the following CNAME record: 96ra25r.fastly-validations.com

It appears you may only have one _acme-challenge CNAME.

The next method in Fastly is “ACME HTTP/CNAME challenge”. I tried that, however the same error occurs.

Warning!
Conflicting record(s) found at _acme-challenge.www.example.com. Please remove the record(s) and add the following CNAME record: 96ra25r.fastly-validations.com

The next option is “Using an email challenge to verify domain ownership”. Contact support. Perhaps this is the only way.

Any ideas? Can the _acme-challenge conflict be solved somehow?

It is surprising (to me) this topic hasn’t been discussed in this forum already. There were no search results about _acme-challenge. Aren’t most companies installing SSL certificates on the backend and the frontend? If so, how do they solve the problem of validating the same certificates in two places, and avoid a conflict in the process.

Thanks,
Sam

2

Hey @sdarwin, welcome to the Fastly community forum. Great to have you here. :slight_smile:

You’re right that we only support a single _acme-challenge record per subdomain for DNS validations. I’m not sure of the reasoning behind this but as I understand, this is common practice across the industry.

If you’re not a fan of using an email challenge, we do offer the ability to validate domain ownership using an HTTP challenge. Documentation for that is available here: Setting up TLS with certificates Fastly manages

Alternatively you could change the hostname of the backend load balancer to something different, meaning you would not have this clash when validating with DNS. This is what most customers tend to do.

In the case that none of these options are feasible for you, I would recommend that you contact support@fastly.com, who will be able to give you some more specific assistance in this matter.

3

Hi @kailan,

This is done by adding a CNAME pointing to t.sni.global.fastly.net. What appeared to happen is that after adding that CNAME, but with the _acme-challenge from Google still present, the result is immediately "Warning! Conflicting record(s) found at _acme-challenge " . The DNS challenge takes precedence and prevents the next challenge from succeeding.

Right.

There is a lucky trick which seems like a hack, but may be ok. Google will configure SSL on a base domain + a wildcard. So, example.com and *.example.com. Then set up Fastly at only www.example.com . In that case, the certificate requests between Fastly and Google will be sufficiently different to bypass the error.