Digital Ocean SSL certificate is invalid for origin or edge or custom Spaces endpoint URLs

Question

It is impossible to get a working SSL with Spaces.

Origin URL:

When creating a new Spaces on Digital Ocean and going to the given origin URL, both Firefox and Chrome warns that the SSL certificate is invalid.

The given error is:

This server could not prove that it is subdomain.domain.tld.ams3.digitaloceanspaces.com; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Edge URL

When enabling the CDN, and going to the given edge URL, another error is given (still, both Firefox and Chrome):

This server could not prove that it is subdomain.domain.tld.ams3.cdn.digitaloceanspaces.com; its security certificate is from *.ssl.hwcdn.net. This may be caused by a misconfiguration or an attacker intercepting your connection.

Custom URL

Finally, by using an automatic DO Let’s Encrypt certificate, and going to our custom URL subdomain.domain.tld, the same error arises:

This server could not prove that it is subdomain.domain.tld; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

What is weird is that the first error is contradictory - the given wildcard certificate should be just fine for our origin URL. We are on FRA1 region, and working with a .cloud TLD.

Answer 1

Shiroka April 5, 2020

Hi @FlorianErnst ,

Actually,DigitalOcean only provide managed certificate with subdomains for *.{region}.digitaloceanspaces.com, doesn’t include *.*.{region}.digitaloceanspaces.com.You can set you bucket name as a-b.{region}.digitaloceanspaces.com while not a.b.{region}.digitaloceanspaces.com.Thats mean,when you are using a.b.{region}.digitaloceanspaces.com as your default bucket domain,you can’t access site with HTTPS.You can bind your custom domain and upload your SSL for it.

Hope helps,
Shiroka

Reply Report

princegoyal1987 June 30, 2021

For me this is not the problem. Even {region}.digitaloceanspaces.com is a problem when I use cdn.

On Android 6 this is not an issue:
searchmytoy.sfo2.digitaloceanspaces.com

But this is:
searchmytoy.sfo2.cdn.digitaloceanspaces.com

Error message in the logs:

javax.net.ssl.SSLException: Certificate for <searchmytoy.sfo2.cdn.digitaloceanspaces.com> doesn’t match any of the subject alternative names: [*.ssl.hwcdn.net, ssl.hwcdn.net]
Reply Report

Answer 2

princegoyal1987 June 30, 2021

For me this is not the problem. Even {region}.digitaloceanspaces.com is a problem when I use cdn.

On Android 6 this is not an issue:
searchmytoy.sfo2.digitaloceanspaces.com

But this is:
searchmytoy.sfo2.cdn.digitaloceanspaces.com

Error message in the logs:

javax.net.ssl.SSLException: Certificate for <searchmytoy.sfo2.cdn.digitaloceanspaces.com> doesn’t match any of the subject alternative names: [*.ssl.hwcdn.net, ssl.hwcdn.net]
Reply Report

Answer 3

janbo87 April 27, 2020

Today, I faced the same problem. But I have never seen this issue before.

@Shiroka , it is not the bucket name problem. Problem appears when you try to load via CDN. For example:

https://{bucket}.{region}.cdn.digitaloceanspaces.com/

But once you remove “cdn” it works.

Reply Report

darrenfransella May 11, 2021

If you remove the “cdn” from the name, you are no longer taking advantage of the Edge servers on the CDN you are actually going to the Origin server, which negates the advantage of using the CDN.
Reply Report
- princegoyal1987 June 30, 2021
  
  Hello There, Did you find any solution to this? I am facing the same problem
  
  Reply Report
  
  darrenfransella June 30, 2021
  
  Yes I deleted and recreated my container renaming it to not have the extra . in it.
  
  Reply Report

Answer 4

darrenfransella May 11, 2021

If you remove the “cdn” from the name, you are no longer taking advantage of the Edge servers on the CDN you are actually going to the Origin server, which negates the advantage of using the CDN.
Reply Report
- princegoyal1987 June 30, 2021
  
  Hello There, Did you find any solution to this? I am facing the same problem
  
  Reply Report
  
  darrenfransella June 30, 2021
  
  Yes I deleted and recreated my container renaming it to not have the extra . in it.
  
  Reply Report

Answer 5

princegoyal1987 June 30, 2021

I am facing the same issue. There’s no “.” or “:” in the name. I have just the alphabets.

Here’s the error:

javax.net.ssl.SSLException: Certificate for <searchmytoy.sfo2.cdn.digitaloceanspaces.com> doesn't match any of the subject alternative names: [*.ssl.hwcdn.net, ssl.hwcdn.net]

For me, the issue is with old Android device (Android 6).

Also note that if i remove “cdn” from the url everything works fine. That means"searchmytoy.sfo2.digitaloceanspaces.com" works fine.

Reply Report

darrenfransella June 30, 2021

By the look of that error, it looks like something is still pointing to or expecting responses from the Highwinds CDN not looking at Digital Ocean. you may want to check that all your URLs have been changed.
Reply Report

Answer 6

darrenfransella June 30, 2021

By the look of that error, it looks like something is still pointing to or expecting responses from the Highwinds CDN not looking at Digital Ocean. you may want to check that all your URLs have been changed.
Reply Report

Related

Question

Digital Ocean SSL certificate is invalid for origin or edge or custom Spaces endpoint URLs

Origin URL:

Edge URL

Custom URL

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Digital Ocean SSL certificate is invalid for origin or edge or custom Spaces endpoint URLs

Origin URL:

Edge URL

Custom URL

Related

Leave a comment

Related

question

How many subdomain can I have per droplet ? Especially if I buy 5$ droplet space?

question

Why does my droplet power off on its own yet it has been working well ever since?

question

Delete Space Bucket Immediately

question

Spaces API and S3 compatibility question

Looking for something else?