Setting up Self Signed TLS in Fastly and my origin


#1

This post will endeavour to describe how to use a self-signed TLS certificate for Fastly to Origin connections. It will cover generating the self-signed certificate, configuring your origin and finally configuring Fastly.

This post assumes that you are using a POSIX system to generate the TLS key and certificate with OpenSSL installed. For the initial post it only covers using Apache2 on Ubuntu (version 14.04 or newer). Other systems may be added in future.

1. Create a Self-Signed Certificate:

There are a few steps for this. First we create a key, then we create a certificate signing request. Finally we sign it with the key we created.

To start open a terminal session and SSH (or PuTTY on windows) to the POSIX system you are using to create the certificate. If using Ubuntu and Apache2 this will likely be your origin.

In your home directory create a directory for the certificates and change directory to this. Then create a key with:
openssl genrsa -des3 -out server.key.secure 2048
Enter a password when requested.

Then we remove the password from the key and save this to another file:
openssl rsa -in server.key.secure -out server.key

This creates a 2048 bit triple DES RSA key.

!!! KEEP THIS SAFE AND PRIVATE !!!

Now we’ll create a CSR (certificate signing request) using this key. In the same directory run:
openssl req -new -key server.key -out server.csr

This will ask you for the details to add to your certificate such as Company Name (Organisation), Location details (Country, City, State), Email Address (should be an administrator’s email address) … and crucially the name of the site or ‘CN’. This should be the domain name that will be used to verify the certificate such as www.example.com. Make sure to note this down as it will be used to validate the certificate later (and may be used in Apache for validating the hostname).

Finally we can sign this with our key by running:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This creates a certificate which is valid for a year signed by the same key which created the request.

There should now be 4 files in your directory:

server.key.secure
server.key
server.csr
server.crt

Make sure to back these up to a safe, secure location and have a safe store of the password for the secure key.

2. Configure the certificate in Apache.

As mentioned previously this assumes that you are using Apache 2 on Ubuntu 12.04 or newer. For other systems consult their documentation for guidance.

In the SSH session from step 1 (or a new one if that was closed), copy server.crt to /etc/ssl/certs/. Then copy the key server.key to /etc/ssl/private. This places the key and certificate in the default location for Ubuntu systems.

sudo cp server.crt /etc/ssl/certs/
sudo cp server.key /etc/ssl/private/

Now you will need to edit your TLS virtual host to use this certificate. Assuming you are using the Ubuntu default virtualhosts files, open /etc/apache2/sites-available/default-ssl.conf in your chosen editor.

Make sure that the following directives are correctly set:

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

(other directives not shown for brevity)

Then save and quit the configuration file. Enable the virtual host and mod_ssl with:

sudo a2ensite default-ssl.conf
sudo a2enmod ssl

And restart apache:

sudo service apache2 restart

Then test with either:

openssl s_client -connect <ip or hostname of server>:443

This shows the details of the certificate and shows that the server is listening correctly on port 443

Or test with (if removing the ‘k’ option you should see a self signed certificate error:

curl -svko /dev/null https://127.0.0.1/ 

3. Configure Fastly to accept a self signed certificate

Log in to https://app.fastly.com/ as a user with either the superuser or engineer role.
Navigate to to your latest unlocked version and then to Configure > Configure > Hosts.

  • Under Backends click the cog icon next to your TLS origin (or create a new one) and select ‘TLS Options’
  • Ensure that ‘Use TLS for Connection’ is set to ‘Yes’. This configures Fastly to use TLS to origin.
  • In ‘Certificate Hostname’ enter the name of the site as used on the certificate earlier.
  • Ensure that ‘Verify SSL’ is set to ‘Yes’
  • In TLS CA Certificate paste the contents of the certificate. If you ‘cat server.crt’ and copy / paste this, make sure not to capture additional characters after the final ‘-’ at the end.
  • Make sure that TLS Client Certificate, TLS Client Key, SNI Hostname and Allowed Ciphersuites are clear and that Minimum and Maximum TLS Versions are ‘(none)’.
  • Click ‘Update’ to save.
  • Ensure that your Backend Port is set to ’443’.
  • Activate your service to make the changes active.

Finally test that you are able to retrieve pages from origin (cache miss or cache pass) without receiving a 503 error.