Question

How to get CDN to serve my SSL certificate instead of the default DigitalOcean cert?

Hi!

My Spaces CDN isn’t working because it is being served from the CDN with an SSL certificate for *.sfo3.digitaloceanspaces.com instead of with my certificate, *.mysub.mydomain.com. How do I fix this?

Here’s how I set it up:

  • I added a CNAME record in my DNS (managed within DO) for myhost.mysub.mydomain.com, pointing to my bucket, mybucket.sfo3.digitaloceanspaces.com. DNS is working fine — myhost.mysub.mydomain.com resolves to the right IP address.
  • I created a certificate via DO and LetsEncrypt for myhost.mysub.mydomain.com. (Note that I’ve also tried this with a certificate for *.mysub.mydomain.com, with the same results.)
  • In the settings for my bucket, I enabled CDN using the custom subdomain and the certificate for myhost.mysub.mydomain.com. (Note that I’ve also tried this with a certificate for *.mysub.mydomain.com, with the same results.)
  • When I attempt to GET an object from the bucket, it gets served with a certificate for *.sfo3.digitaloceanspaces.com instead of with my certificate, so the GET fails:
% curl -v [https://myhost.mysub.mydomain.com/myobjectpath](https://myhost.mysub.mydomain.com/myobjectpath) 
* Trying [123.45.67.89:443](https://123.45.67.89/)... 
* Connected to myhost.mysub.mydomain.com (123.45.67.89) port 443 (#0) 
* ALPN: offers h2 * ALPN: offers http/1.1 
* CAfile: /etc/ssl/cert.pem * CApath: none
* (304) (OUT), TLS handshake, Client hello (1): 
* (304) (IN), TLS handshake, Server hello (2): 
* (304) (IN), TLS handshake, Unknown (8): 
* (304) (IN), TLS handshake, Certificate (11): 
* (304) (IN), TLS handshake, CERT verify (15): 
* (304) (IN), TLS handshake, Finished (20): 
* (304) (OUT), TLS handshake, Finished (20): 
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 
* ALPN: server accepted h2 
* Server certificate:
*  subject: C=US; ST=New York; L=New York; O=DigitalOcean, LLC; CN=*.sfo3.digitaloceanspaces.com 
*  start date: Dec 9 00:00:00 2022 GMT 
*  expire date: Jan 2 23:59:59 2024 GMT 
*  subjectAltName does not match myhost.mysub.mydomain.com 
* SSL: no alternative certificate subject name matches target host name '[myhost.mysub.mydomain.com](http://myhost.mysub.mydomain.com/)' 
* Closing connection 0 
curl: (60) SSL: no alternative certificate subject name matches target host name '[myhost.mysub.mydomain.com](http://myhost.mysub.mydomain.com/)'
More details here: [https://curl.se/docs/sslcerts.html](https://curl.se/docs/sslcerts.html)

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

What am I doing wrong? What can I do to make it work?

Submit an answer
Answer a question...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Richard KasperowskiMarch 9, 2023

… and here’s the answer:

My myhost.mysub.mydomain.com CNAME record is supposed to point to the CDN endpoint’s hostname, which is like mybucket.sfo3.cdn.digitaloceanspaces.com. After I did that, it just worked. :-)