Question

Digital Ocean SSL certificate is invalid for origin or edge or custom Spaces endpoint URLs

Posted April 5, 2020 2.6k views
DigitalOcean Spaces

It is impossible to get a working SSL with Spaces.

Origin URL:

When creating a new Spaces on Digital Ocean and going to the given origin URL, both Firefox and Chrome warns that the SSL certificate is invalid.

The given error is:

This server could not prove that it is subdomain.domain.tld.ams3.digitaloceanspaces.com; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Edge URL

When enabling the CDN, and going to the given edge URL, another error is given (still, both Firefox and Chrome):

This server could not prove that it is subdomain.domain.tld.ams3.cdn.digitaloceanspaces.com; its security certificate is from *.ssl.hwcdn.net. This may be caused by a misconfiguration or an attacker intercepting your connection.

Custom URL

Finally, by using an automatic DO Let’s Encrypt certificate, and going to our custom URL subdomain.domain.tld, the same error arises:

This server could not prove that it is subdomain.domain.tld; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

What is weird is that the first error is contradictory - the given wildcard certificate should be just fine for our origin URL. We are on FRA1 region, and working with a .cloud TLD.

1 comment
  • I have this problem too, thankfully the subdomain cdn works, but gees, if we can’t use . in the bucket name.

    DON’T LET US CREATE A SPACE WITH THAT NAME! :facepalm:

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
3 answers

Hi @FlorianErnst ,

Actually,DigitalOcean only provide managed certificate with subdomains for *.{region}.digitaloceanspaces.com, doesn’t include *.*.{region}.digitaloceanspaces.com.You can set you bucket name as a-b.{region}.digitaloceanspaces.com while not a.b.{region}.digitaloceanspaces.com.Thats mean,when you are using a.b.{region}.digitaloceanspaces.com as your default bucket domain,you can’t access site with HTTPS.You can bind your custom domain and upload your SSL for it.

Hope helps,
Shiroka

  • For me this is not the problem. Even {region}.digitaloceanspaces.com is a problem when I use cdn.

    On Android 6 this is not an issue:
    searchmytoy.sfo2.digitaloceanspaces.com

    But this is:
    searchmytoy.sfo2.cdn.digitaloceanspaces.com

    Error message in the logs:

    javax.net.ssl.SSLException: Certificate for <searchmytoy.sfo2.cdn.digitaloceanspaces.com> doesn’t match any of the subject alternative names: [*.ssl.hwcdn.net, ssl.hwcdn.net]

Today, I faced the same problem. But I have never seen this issue before.

@Shiroka , it is not the bucket name problem. Problem appears when you try to load via CDN. For example:

https://{bucket}.{region}.cdn.digitaloceanspaces.com/

But once you remove “cdn” it works.

I am facing the same issue. There’s no “.” or “:” in the name. I have just the alphabets.

Here’s the error:

javax.net.ssl.SSLException: Certificate for <searchmytoy.sfo2.cdn.digitaloceanspaces.com> doesn't match any of the subject alternative names: [*.ssl.hwcdn.net, ssl.hwcdn.net]

For me, the issue is with old Android device (Android 6).

Also note that if i remove “cdn” from the url everything works fine. That means"searchmytoy.sfo2.digitaloceanspaces.com" works fine.

  • By the look of that error, it looks like something is still pointing to or expecting responses from the Highwinds CDN not looking at Digital Ocean. you may want to check that all your URLs have been changed.