Question
Digital Ocean SSL certificate is invalid for origin or edge or custom Spaces endpoint URLs
- Posted April 5, 2020
- DigitalOcean Spaces
It is impossible to get a working SSL with Spaces.
Origin URL:
When creating a new Spaces on Digital Ocean and going to the given origin URL, both Firefox and Chrome warns that the SSL certificate is invalid.
The given error is:
This server could not prove that it is subdomain.domain.tld.ams3.digitaloceanspaces.com; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Edge URL
When enabling the CDN, and going to the given edge URL, another error is given (still, both Firefox and Chrome):
This server could not prove that it is subdomain.domain.tld.ams3.cdn.digitaloceanspaces.com; its security certificate is from *.ssl.hwcdn.net. This may be caused by a misconfiguration or an attacker intercepting your connection.
Custom URL
Finally, by using an automatic DO Let’s Encrypt certificate, and going to our custom URL subdomain.domain.tld, the same error arises:
This server could not prove that it is subdomain.domain.tld; its security certificate is from *.ams3.digitaloceanspaces.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
What is weird is that the first error is contradictory - the given wildcard certificate should be just fine for our origin URL. We are on FRA1 region, and working with a .cloud TLD.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
I just lost a few hours with this issue, because I used a “dot” in the name.
The user interface should at least warn about this issue where creating a space!
I am facing the same issue. There’s no “.” or “:” in the name. I have just the alphabets.
Here’s the error:
javax.net.ssl.SSLException: Certificate for <searchmytoy.sfo2.cdn.digitaloceanspaces.com> doesn't match any of the subject alternative names: [*.ssl.hwcdn.net, ssl.hwcdn.net]
For me, the issue is with old Android device (Android 6).
Also note that if i remove “cdn” from the url everything works fine. That means"searchmytoy.sfo2.digitaloceanspaces.com" works fine.
Today, I faced the same problem. But I have never seen this issue before.
@Shiroka , it is not the bucket name problem. Problem appears when you try to load via CDN. For example:
https://{bucket}.{region}.cdn.digitaloceanspaces.com/
But once you remove “cdn” it works.
Hi @FlorianErnst ,
Actually,DigitalOcean only provide managed certificate with subdomains for *.{region}.digitaloceanspaces.com, doesn’t include *.*.{region}.digitaloceanspaces.com.You can set you bucket name as a-b.{region}.digitaloceanspaces.com while not a.b.{region}.digitaloceanspaces.com.Thats mean,when you are using a.b.{region}.digitaloceanspaces.com as your default bucket domain,you can’t access site with HTTPS.You can bind your custom domain and upload your SSL for it.
Hope helps, Shiroka
I have this problem too, thankfully the subdomain cdn works, but gees, if we can’t use
.in the bucket name.DON’T LET US CREATE A SPACE WITH THAT NAME! :facepalm: