Question

Digitalocean CDN, custom domain and Cloudflare SSL

Posted August 3, 2021 178 views
CDN

Hey!
We use Digitalocean’s spaces with enabled CDN to keep static files. And we decided to try a custom domain. To do that, I have created an Origin SSL certificate in my Cloudflare Dashboard and loaded it to the DO. Then I just applied it to CDN’s custom domain. Also, I have created a CNAME record: cdn.my.domain -> DO’s Edge URL.
So far looks good, but:
While I can reach my files with new name via HTTP, HTTPS doesn’t work and I see that error:

  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS alert, handshake failure (552):
  • error:14094410:SSL routines:ssl3readbytes:sslv3 alert handshake failure
  • Closing connection 0 curl: (35) error:14094410:SSL routines:ssl3readbytes:sslv3 alert handshake failure

I have tried to:

  1. add Cloudflare Origin CA root certificate to DO;
  2. enable SSL Full (strict).
  3. checked cert and key with openssl, they are valid. Nothing works. Have anyone seen such an error? Any ideas what might be wrong?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

OK, looks like Cloudflare doesn’t allow “deep” subdomains for non-paid customers. That was the issue.
Something like https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager can help in that situation.