Question

How to get CDN to serve my SSL certificate instead of the default DigitalOcean cert?

Hi!

My Spaces CDN isn’t working because it is being served from the CDN with an SSL certificate for *.sfo3.digitaloceanspaces.com instead of with my certificate, *.mysub.mydomain.com. How do I fix this?

Here’s how I set it up:

  • I added a CNAME record in my DNS (managed within DO) for myhost.mysub.mydomain.com, pointing to my bucket, mybucket.sfo3.digitaloceanspaces.com. DNS is working fine — myhost.mysub.mydomain.com resolves to the right IP address.
  • I created a certificate via DO and LetsEncrypt for myhost.mysub.mydomain.com. (Note that I’ve also tried this with a certificate for *.mysub.mydomain.com, with the same results.)
  • In the settings for my bucket, I enabled CDN using the custom subdomain and the certificate for myhost.mysub.mydomain.com. (Note that I’ve also tried this with a certificate for *.mysub.mydomain.com, with the same results.)
  • When I attempt to GET an object from the bucket, it gets served with a certificate for *.sfo3.digitaloceanspaces.com instead of with my certificate, so the GET fails:
% curl -v [https://myhost.mysub.mydomain.com/myobjectpath](https://myhost.mysub.mydomain.com/myobjectpath) 
* Trying [123.45.67.89:443](https://123.45.67.89/)... 
* Connected to myhost.mysub.mydomain.com (123.45.67.89) port 443 (#0) 
* ALPN: offers h2 * ALPN: offers http/1.1 
* CAfile: /etc/ssl/cert.pem * CApath: none
* (304) (OUT), TLS handshake, Client hello (1): 
* (304) (IN), TLS handshake, Server hello (2): 
* (304) (IN), TLS handshake, Unknown (8): 
* (304) (IN), TLS handshake, Certificate (11): 
* (304) (IN), TLS handshake, CERT verify (15): 
* (304) (IN), TLS handshake, Finished (20): 
* (304) (OUT), TLS handshake, Finished (20): 
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 
* ALPN: server accepted h2 
* Server certificate:
*  subject: C=US; ST=New York; L=New York; O=DigitalOcean, LLC; CN=*.sfo3.digitaloceanspaces.com 
*  start date: Dec 9 00:00:00 2022 GMT 
*  expire date: Jan 2 23:59:59 2024 GMT 
*  subjectAltName does not match myhost.mysub.mydomain.com 
* SSL: no alternative certificate subject name matches target host name '[myhost.mysub.mydomain.com](http://myhost.mysub.mydomain.com/)' 
* Closing connection 0 
curl: (60) SSL: no alternative certificate subject name matches target host name '[myhost.mysub.mydomain.com](http://myhost.mysub.mydomain.com/)'
More details here: [https://curl.se/docs/sslcerts.html](https://curl.se/docs/sslcerts.html)

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

What am I doing wrong? What can I do to make it work?


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

… and here’s the answer:

My myhost.mysub.mydomain.com CNAME record is supposed to point to the CDN endpoint’s hostname, which is like mybucket.sfo3.cdn.digitaloceanspaces.com. After I did that, it just worked. :-)

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel