Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How many subdomain can I have per droplet ? Especially if I buy 5$ droplet space? Question Question
Why does my droplet power off on its own yet it has been working well ever since? Question Question

Question

Digital Ocean SSL certificate is invalid for origin or edge or custom Spaces endpoint URLs

Posted April 5, 2020 3.1k views
DigitalOcean Spaces

It is impossible to get a working SSL with Spaces.

Origin URL:

When creating a new Spaces on Digital Ocean and going to the given origin URL, both Firefox and Chrome warns that the SSL certificate is invalid.

The given error is:

This server could not prove that it is subdomain.domain.tld.ams3.digitaloceanspaces.com; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Edge URL

When enabling the CDN, and going to the given edge URL, another error is given (still, both Firefox and Chrome):

This server could not prove that it is subdomain.domain.tld.ams3.cdn.digitaloceanspaces.com; its security certificate is from *.ssl.hwcdn.net. This may be caused by a misconfiguration or an attacker intercepting your connection.

Custom URL

Finally, by using an automatic DO Let’s Encrypt certificate, and going to our custom URL subdomain.domain.tld, the same error arises:

This server could not prove that it is subdomain.domain.tld; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

What is weird is that the first error is contradictory - the given wildcard certificate should be just fine for our origin URL. We are on FRA1 region, and working with a .cloud TLD.

Add a comment
FlorianErnst
By:
FlorianErnst

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How many subdomain can I have per droplet ? Especially if I buy 5$ droplet space? Question Question
Why does my droplet power off on its own yet it has been working well ever since? Question Question
Add a comment
1 comment
  • chrisjenx April 29, 2020
    Reply Report

    I have this problem too, thankfully the subdomain cdn works, but gees, if we can’t use . in the bucket name.

    DON’T LET US CREATE A SPACE WITH THAT NAME! :facepalm:

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
3 answers
Shiroka April 5, 2020

Hi @FlorianErnst ,

Actually,DigitalOcean only provide managed certificate with subdomains for *.{region}.digitaloceanspaces.com, doesn’t include *.*.{region}.digitaloceanspaces.com.You can set you bucket name as a-b.{region}.digitaloceanspaces.com while not a.b.{region}.digitaloceanspaces.com.Thats mean,when you are using a.b.{region}.digitaloceanspaces.com as your default bucket domain,you can’t access site with HTTPS.You can bind your custom domain and upload your SSL for it.

Hope helps,
Shiroka

Reply Report
  • princegoyal1987 June 30, 2021

    For me this is not the problem. Even {region}.digitaloceanspaces.com is a problem when I use cdn.

    On Android 6 this is not an issue:
    searchmytoy.sfo2.digitaloceanspaces.com

    But this is:
    searchmytoy.sfo2.cdn.digitaloceanspaces.com

    Error message in the logs:

    javax.net.ssl.SSLException: Certificate for <searchmytoy.sfo2.cdn.digitaloceanspaces.com> doesn’t match any of the subject alternative names: [*.ssl.hwcdn.net, ssl.hwcdn.net]

    Reply Report
janbo87 April 27, 2020

Today, I faced the same problem. But I have never seen this issue before.

@Shiroka , it is not the bucket name problem. Problem appears when you try to load via CDN. For example:

https://{bucket}.{region}.cdn.digitaloceanspaces.com/

But once you remove “cdn” it works.

Reply Report
princegoyal1987 June 30, 2021

I am facing the same issue. There’s no “.” or “:” in the name. I have just the alphabets.

Here’s the error:

javax.net.ssl.SSLException: Certificate for <searchmytoy.sfo2.cdn.digitaloceanspaces.com> doesn't match any of the subject alternative names: [*.ssl.hwcdn.net, ssl.hwcdn.net]

For me, the issue is with old Android device (Android 6).

Also note that if i remove “cdn” from the url everything works fine. That means"searchmytoy.sfo2.digitaloceanspaces.com" works fine.

Reply Report
  • darrenfransella June 30, 2021

    By the look of that error, it looks like something is still pointing to or expecting responses from the Highwinds CDN not looking at Digital Ocean. you may want to check that all your URLs have been changed.

    Reply Report

Related

Looking for something else?

Ask a new question Search for more help