Question
Digitalocean CDN, custom domain and Cloudflare SSL
Hey! We use Digitalocean’s spaces with enabled CDN to keep static files. And we decided to try a custom domain. To do that, I have created an Origin SSL certificate in my Cloudflare Dashboard and loaded it to the DO. Then I just applied it to CDN’s custom domain. Also, I have created a CNAME record: cdn.my.domain -> DO’s Edge URL. So far looks good, but: While I can reach my files with new name via HTTP, HTTPS doesn’t work and I see that error:
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS alert, handshake failure (552):
- error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
- Closing connection 0 curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
I have tried to:
- add Cloudflare Origin CA root certificate to DO;
- enable SSL Full (strict).
- checked cert and key with openssl, they are valid. Nothing works. Have anyone seen such an error? Any ideas what might be wrong?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.
OK, looks like Cloudflare doesn’t allow “deep” subdomains for non-paid customers. That was the issue. Something like https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager can help in that situation.