I have a question regarding cert renewal.
Am doing dual CDN setup : Client —> Akamai —> Fastly.
I have 2 questions:
- SInce the CNAME will be to Akamai, the cert Fastly cert automatic renewal will fail. is my understanding correct ?
- What can we do to ensure that Fastly cert keeps renewed automatically? One way i can think of is to setup a redirect validation at Akamai.
For example, the acme challenge at akamai follows this format:
http:///.well-known/acme-challenge/ → Redirect to → http://dcv.akamai.com/.well-known/acme-challenge/
Similar to above is there a fastly pattern for acme challenge ? either in uRL redirect or URL token ?
If you are using Certainly for your Fastly-managed certificate, we have great news! Fastly supports a DNS-based challenge called DNS-ACCOUNT-01 which uses a unique DNS name for the Fastly challenge and will not interfere with challenges for other account providers. Talk to your Fastly account manager about getting that enabled on your account.
As far as redirecting the HTTP challenge: that is not possible, as the challenge URL is always the same for all certificate providers.
Thanks Kevin 
further to your comment :
HTTP challenge: that is not possible, as the challenge URL is always the same for all certificate providers. –> What if I dont need challenge URL for Akamai ( a..k.a, ill use third party CA ). so i have no problem to keep the acme redirect or acme response body always to Fastly hostname. It should work right ?
if yes, what is the dcv hostname for fastly ? Akamai’s is dcv.akamai.com , whats it for fastly ?
Fastly’s HTTP challenges don’t work that way; we handle the challenge if the request lands on our network, otherwise we don’t.
1 Like