Issues with Stellate Services behind a Cloudflare Proxy

Update timeline

1. monitoring Oct 25, 2023, 09:07 AM UTC

   If you are running your Stellate service behind a Cloudflare DNS record with proxy turned on and are running into issues with SAN (subject alternative names) errors, we recommend turning the proxy off and reaching out to our support team via [email protected] or the in-app messenger.

2. resolved Nov 06, 2023, 03:57 PM UTC

   We have added additional information to the service settings on validating custom domains that do not point at Fastly directly. If you have Cloudflare Proxy, or another proxy, in front of Stellate, please make sure your custom domain is shown as _Verified_ in your service settings. If you have questions, do not hesitate to reach out to our support team.

3. postmortem Nov 06, 2023, 03:57 PM UTC

   Fastly started forbidding domain fronting on October 24th, customers that were using Cloudflare with proxy enabled were affected as Fastly could not verify domain ownership for TLS certificates. This caused Fastly to throw a TLS validation error when trying to access these domains. We got communications from Fastly in September telling us some domains were going to be affected. However, they mentioned we had until the TLS certificates expired on current domains to take action. After the incident we reached out to Fastly, and they also mentioned the report they sent us was incomplete, as it did not include information for the HTTP method, as requests not using the POST method could be affected. This miscommunication from Fastly side led us to believe we had more time before our application would be affected. Going forward, we are double checking important dates with third party providers to make sure there are no misunderstandings and we don’t cause downtime for our customers.