Question

Digital Ocean SSL certificate is invalid for origin or edge or custom Spaces endpoint URLs

It is impossible to get a working SSL with Spaces.

Origin URL:

When creating a new Spaces on Digital Ocean and going to the given origin URL, both Firefox and Chrome warns that the SSL certificate is invalid.

The given error is:

This server could not prove that it is subdomain.domain.tld.ams3.digitaloceanspaces.com; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Edge URL

When enabling the CDN, and going to the given edge URL, another error is given (still, both Firefox and Chrome):

This server could not prove that it is subdomain.domain.tld.ams3.cdn.digitaloceanspaces.com; its security certificate is from *.ssl.hwcdn.net. This may be caused by a misconfiguration or an attacker intercepting your connection.

Custom URL

Finally, by using an automatic DO Let’s Encrypt certificate, and going to our custom URL subdomain.domain.tld, the same error arises:

This server could not prove that it is subdomain.domain.tld; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

What is weird is that the first error is contradictory - the given wildcard certificate should be just fine for our origin URL. We are on FRA1 region, and working with a .cloud TLD.

Subscribe
Share

I have this problem too, thankfully the subdomain cdn works, but gees, if we can’t use . in the bucket name.

DON’T LET US CREATE A SPACE WITH THAT NAME! :facepalm:


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I just lost a few hours with this issue, because I used a “dot” in the name.

The user interface should at least warn about this issue where creating a space!

I am facing the same issue. There’s no “.” or “:” in the name. I have just the alphabets.

Here’s the error:

javax.net.ssl.SSLException: Certificate for <searchmytoy.sfo2.cdn.digitaloceanspaces.com> doesn't match any of the subject alternative names: [*.ssl.hwcdn.net, ssl.hwcdn.net]

For me, the issue is with old Android device (Android 6).

Also note that if i remove “cdn” from the url everything works fine. That means"searchmytoy.sfo2.digitaloceanspaces.com" works fine.

Today, I faced the same problem. But I have never seen this issue before.

@Shiroka , it is not the bucket name problem. Problem appears when you try to load via CDN. For example:

https://{bucket}.{region}.cdn.digitaloceanspaces.com/

But once you remove “cdn” it works.

Hi @FlorianErnst ,

Actually,DigitalOcean only provide managed certificate with subdomains for *.{region}.digitaloceanspaces.com, doesn’t include *.*.{region}.digitaloceanspaces.com.You can set you bucket name as a-b.{region}.digitaloceanspaces.com while not a.b.{region}.digitaloceanspaces.com.Thats mean,when you are using a.b.{region}.digitaloceanspaces.com as your default bucket domain,you can’t access site with HTTPS.You can bind your custom domain and upload your SSL for it.

Hope helps, Shiroka