Edgio

Custom Domains & SSL

This guide covers the steps you need to take your site live on Edgio with a secure, custom domain.
Creating custom domains is always done in the context of creating or updating an environment.

Configuration Overview

  1. If needed, create an environment using instructions in Environments.
  2. Create the Custom Domain.
  3. Set up DNS for your custom domain.
  4. Allowlist our network on your firewall.
  5. Configure TLS/SSL for the domain.

Custom Domains

Before going live, you must create a production environment and configure your domains.
To configure your custom domains:
  1. Navigate to a site, then open an existing environment or create a new environment. (To create an environment, use instructions in Environments.)
    • For an existing environment, select the ENVIRONMENTS tab header, then click an environment name in the list of environments. Continue with the numbered steps below.
    • For a new environment, the DEPLOYMENTS tab is displayed. Continue with the following steps.
  2. Select the CONFIGURATION tab header.

    domains
  3. Create a new draft version of the environment by clicking EDIT at the top of the page.
  4. In the Domains section, click EDIT DOMAINS.

    domains
  5. Enter a name in the Edit Domains dialog, then click APPLY.

    domainsSection
  6. Click ACTIVATE at the top of the page to enable the updated environment.

    activateEnvironment

Migrating from Fastly

If you’re migrating to Edgio from Fastly, you will need to do the following before adding your domains to your Edgio environment:
  • Contact Fastly support and request that control of your domains be transferred to Edgio. Be sure to explicitly list each domain that needs to be transferred and ask Fastly to contact support@edg.io if they need Edgio to confirm the transfer.
  • Before going live with Edgio, you will need to ensure that you’ve removed your domains from all active Fastly services. To remove domains from a service, clone the service, remove the domains, then activate the new version of the service. Once the new service version is activated you can add the domains to your Edgio environment and activate it.

Set up DNS

In order to configure your DNS provider to direct traffic for a particular set of domains to Edgio, you must create DNS records for your website. If you are launching a new site, then you can create the records whenever you feel ready. For sites that are already live, the DNS update is the last step. Once you have updated your DNS you are committed to launching.
To see the DNS configuration values, click the Actions needed button in the Domains section of the Configuration tab. This will show you the A and CNAME records you need to create in your DNS provider.
dns configuration

Using a Sub-domain

To host your site on a subdomain (e.g. www.mywebsite.xyz), add a CNAME record with the value shown under DNS Configuration (see above).
1# To verify your DNS entry, run the following command
2dig <your-sub-domain>
3
4# Example
5dig www.mywebsite.xyz
6
7# Result
8www.mywebsite.xyz. 599 IN CNAME d12ea738-71b3-25e8-c771-6fdd3f6bd8ba.layer0-limelight.link.

Using an Apex Domain

To host your site on the apex domain (e.g. mywebsite.xyz), create multiple A records on your apex domain, with the following Anycast IP address values: 208.69.180.11, 208.69.180.12, 208.69.180.13, 208.69.180.14
1# To verify your DNS entry, run the following command
2dig <your-apex-domain>
3
4# Example
5dig mywebsite.xyz
6
7# Result
8mywebsite.xyz. 599 IN A 208.69.180.11
9mywebsite.xyz. 599 IN A 208.69.180.12
10mywebsite.xyz. 599 IN A 208.69.180.13
11mywebsite.xyz. 599 IN A 208.69.180.14

Using Both an Apex Domain and a Sub-domain

  • Create the multiple A records with the IPs, on your apex domain (see above).
  • Create a CNAME record for your sub-domain, with the value of your apex domain.

    1# To verify your DNS entries, run the following command
    2dig <your-sub-domain>
    3# Example
    4dig www.mywebsite.xyz
    5# Result
    6www.mywebsite.xyz. 599 IN CNAME. mywebsite.xyz.
    7mywebsite.xyz. 599 IN A 208.69.180.11
    8mywebsite.xyz. 599 IN A 208.69.180.12
    9mywebsite.xyz. 599 IN A 208.69.180.13
    10mywebsite.xyz. 599 IN A 208.69.180.14

Allowing Edgio IP Addresses

Before going live, ensure that all Edgio IP addresses are allowed in the security layer in front of your origin and/or API servers. The IP addresses you need to allow can be found on the Allowlisting section under the Origin Security tab for your property. Note that each team may have their own set of IPs so these values cannot be copied from one team to another.
allowlisting

TLS/SSL

All data transmitted to and from your Edgio site must be secured with TLS (Transport Layer Security). TLS, also known as SSL (Secure Sockets Layer), is a cryptographic protocol to communicate securely over the Internet. TLS provides end-to-end data encryption and data integrity for all web requests.
Edgio provides a wildcard TLS certificate that covers the auto-generated domains that it assigns to your site (e.g [team]-[site]-[branch]-[version].layer0-limelight.link). You need to provide your own certificate for your site’s custom domains.
If you already have an existing certificate, you can use it by skipping ahead to the Uploading your Certificate section. Many customers who have existing certificates still choose to obtain a new one when adopting Edgio so as not to reuse the same private key with more than one vendor/system.

Obtaining a Certificate Automatically

Edgio can generate SSL Certificates on your behalf using Let’s Encrypt. Certificates are free, valid for 3 months, and automatically renewed as long as the technical requirements, shown below, remain met:
  1. Make sure each environment is configured with the custom domains on which it will receive traffic. For more information on configuring custom domains, see Custom Domains above.
  2. Using your DNS provider, verify and possibly add a CAA record to allow Let’s Encrypt to generate certificates for your domains.
    • The CAA DNS entries of a domain behave like an allow list to indicate whether any or only certain Certificate Authorities are allowed to generate certificates for that domain.
    • If there are no CAA records, it means that any Certificate Authority is allowed to generate certificates for that domain.
    • If there are CAA records, it means that only certain Certificate Authorities are allowed to generate certificates for that domain.
    • So in order for Let’s Encrypt to be able to generate a certificate for your domains, you must either not have defined any CAA records, or Let’s Encrypt’s CAA entry must be among those defined in the list of CAA records.
    You can verify the value of the CAA records for your domain from the command line using the command below.

    Bash
    1# Run the following command
    2dig caa +short <your-apex-domain>
    3
    4# Example
    5dig caa +short mywebsite.xyz

    Example of a CAA query showing that only certain Certificate Authorities are allowed to generate certificates for that domain:

    Bash
    10 issue "amazon.com"
    20 issue "digicert.com"
    30 issue "globalsign.com"
    40 issue "letsencrypt.org"

    If the result of the CAA DNS query is empty, it means that any Certificate Authority is allowed to generate certificates on that domain. If so, you can directly go to the next step.
    If there are already some CAA DNS entries defined on your domain, and if Let’s Encrypt’s CAA entry is not among those, you will have to add an additional CCA entry for Let’s Encrypt.
    To do so, log into your DNS provider, and add a CAA type DNS record with the following values:
    • Type : CAA
    • Name : empty (or @, depending on the DNS provider)
    • Flags: 0
    • Tag: issue
    • Value: letsencrypt.org (or "letsencrypt.org")
    Example with GoDaddy:

    CAA Record on GoDaddy

    Example with Gandi:

    CAA Record on Gandi

    You can use the following links to see how to configure the CAA record on commonly used DNS providers:

    Once the DNS entry has been added, you can verify the CAA record using one of the following:
    Many DNS providers have already added this CAA DNS record by default while some DNS providers do not allow the creation of CAA DNS records and therefore allow any Certificate Authority to generate certificates.
    You can learn more about CAA DNS records on Let’s Encrypt website, on Wikipedia, on Gandi and on eff.org
  3. Add an _acme-challenge. CNAME DNS entry to allow Edgio to issue a certificate request on your behalf.
    Log into your DNS provider and add one CNAME type DNS entry with the value _acme-challenge.<your-domain-here> for each domain you use on your Edgio website. For example, if your domain is mywebsite.xyz, the DNS entry should have a value of _acme-challenge.mywebsite.xyz. This record should point to _acme-challenge.xdn-validation.com. Repeat the operation of each domain associated with your Edgio website.

    Example with Godaddy:

    ACME Challenge Record on GoDady

    Example with Gandi:

    ACME Challenge Record on Gandi

    Once the DNS entries have been added, you can use one of the following to verify that they are correctly configured:
    You can also verify the CNAME records using the command line:
    Bash
    1# Run the following 'dig' command to verify the presence of the '_acme-challenge.' CNAME :
    2dig +short cname _acme-challenge.<your-domain>
    3
    4# For example:
    5dig +short cname _acme-challenge.mywebsite.xyz

    Expected result for the DNS query:
    1_acme-challenge.xdn-validation.com.

    If you use multiple domains for your website, like mywebsite.xyz and www.mywebsite.xyz, you will have to make sure that the _acme-challenge DNS record has been added for both domains:
    1_acme-challenge.mywebsite.xyz -> _acme-challenge.xdn-validation.com.
    2_acme-challenge.www.mywebsite.xyz -> _acme-challenge.xdn-validation.com.

    If you have been previously using Let’s Encrypt to generate certificates for this domain, please verify that there are no remaining TXT records named _acme-challenge.mywebsite.xyz.

    You can read more about the acme-challenge. process by visiting Let’s Encrypt Website
  4. Once the requirements above are met, you can generate the certificate using the Edgio Developer Console:
    1. Select your site and navigate to Settings > SSL Certificate
    2. Verify the state of your certificate (you should see that there’s no certificate provided yet for your website):

    ssl-generation-01
    1. Click on the Generate SSL Certificate button:

    ssl-generation-02
    1. After a couple of minutes, you should see that your website has received a valid certificate:

    ssl-generation-03

Creating a Certificate Manually

TLS certificates are issued by Certificate Authorities (CA) based on Certificate Signing Request (CSR) that they receive from you. Alongside the CSR the same process creates the certificate’s private key. You only need to share your CSR with CA, not the private key which you should store securely.
The following steps describe the creation of the CSR and private key with OpenSSL. OpenSSL is an open-source toolkit for the TLS protocol. We recommend using OpenSSL because it ensures that your private key will only be stored locally on your infrastructure. Your CA may have more customized guides or an entirely customized certification process.
To create CSR and private key do the following:
  1. Open your terminal window and make sure that you have OpenSSL installed:
    • On MacOS you can install it by using brew package manager (e.g. brew install openssl)
    • On Windows you can install it by using Chocolatey package manager (e.g. choco install openssl)
    • On Linux/Unix you can install it by running the built-in OS package manager (e.g. apt-get install openssl, apk add openssl and so on)
  2. Go to the directory of your choice and create a configuration file edgio.conf based on this template:
    1[req]
    2default_bits=2048
    3distinguished_name = req_distinguished_name
    4req_extensions = v3_req
    5
    6[req_distinguished_name]
    7countryName=Country Name (2 letter code)
    8countryName_default=US
    9stateOrProvinceName=State or Province Name (full name)
    10stateOrProvinceName_default=California
    11localityName=Locality Name (e.g. city)
    12localityName_default=San Francisco
    13organizationName=Organization Name (e.g. company)
    14organizationName_default=YourCompanyName
    15commonName=Fully Qualified Domain Name (FQDN) e.g. www.your-company-name.com
    16commonName_default=www.your-company-domain.com
    17
    18[ v3_req ]
    19subjectAltName=@alt_names
    20
    21[alt_names] # Other domains: apex domain, wildcard domain for staging and dev, and so on
    22DNS.1=*.your-main-domain.com
    23DNS.2=*.your-dev-domain.com
    24DNS.3=your-apex-domain.com
    25# And so on
Replace the country, state/province, locality, organization name and, most importantly Common Name (CN), for the cert which must be the fully qualified domain name for your domain (e.g. for Edgio that is www.edg.io)
You will want to add all the additional domains into the alt_names section. There you should add your development, staging and other domains although Edgio strongly encourages the use of wildcard certs.
  1. Run openssl req -out edgio.csr -newkey rsa:2048 -nodes -keyout edgio.key -config edgio.conf -batch. This should generate your CSR in edgio.csr and private key in edgio.key. If you want OpenSSL to ask you for each different input, remove the -batch option and re-run the command.
  2. Verify your CSR contains the expected domains by running openssl req -in edgio.csr -noout -text | grep DNS
  3. Read the CSR (e.g. cat edgio.csr) or copy to your clipboard (on OSX cat edgio.csr | pbcopy) and send it to your CA for certification.

Uploading Your Certificate

Prerequisites

To upload a certificate, you must have the Admin role on your team, and your team must be upgraded to Edgio Enterprise.
Edgio needs the following to correctly host your certificate:
  • Certificate issued by CA
  • Intermediate certificates (IC) used by CA, including CA’s signing certificate
  • Private key that was generated at the time of the CSR.

Uploading the certificate

To upload your SSL certificate, do the following:
  1. Navigate to the Settings tab on your site:
    ssl
  2. Scroll to TLS Certificate.
    empty-certificate
  3. Toggle Automatically create an TLS certificate for my custom domains to the on position.
  4. Copy the certificate, intermediate certificates, and the private key into the corresponding edit boxes.
    The private key is non-public data and must not be shared with parties other than Edgio. Edgio stores your private key securely at rest. It is never shown in the developer console and only used to provision parts of the infrastructure that are used to terminate TLS connections.
  5. Click CHANGES SAVED.
    The certificate’s status becomes Activating:
    in-progress-certificate
    After the certificate is activated, its status becomes Active:
    activated-certificate
    _Note: Certificate activation should take just a few minutes. If the status does not become Active within an hour, please contact support. _