Question
How to get CDN to serve my SSL certificate instead of the default DigitalOcean cert?
- Posted on March 5, 2023
- CDNDigitalOcean Spaces
Asked by Richard Kasperowski
Hi!
My Spaces CDN isn’t working because it is being served from the CDN with an SSL certificate for *.sfo3.digitaloceanspaces.com instead of with my certificate, *.mysub.mydomain.com. How do I fix this?
Here’s how I set it up:
- I added a CNAME record in my DNS (managed within DO) for
myhost.mysub.mydomain.com, pointing to my bucket,mybucket.sfo3.digitaloceanspaces.com. DNS is working fine —myhost.mysub.mydomain.comresolves to the right IP address. - I created a certificate via DO and LetsEncrypt for
myhost.mysub.mydomain.com. (Note that I’ve also tried this with a certificate for*.mysub.mydomain.com, with the same results.) - In the settings for my bucket, I enabled CDN using the custom subdomain and the certificate for
myhost.mysub.mydomain.com. (Note that I’ve also tried this with a certificate for*.mysub.mydomain.com, with the same results.) - When I attempt to GET an object from the bucket, it gets served with a certificate for
*.sfo3.digitaloceanspaces.cominstead of with my certificate, so the GET fails:
% curl -v [https://myhost.mysub.mydomain.com/myobjectpath](https://myhost.mysub.mydomain.com/myobjectpath)
* Trying [123.45.67.89:443](https://123.45.67.89/)...
* Connected to myhost.mysub.mydomain.com (123.45.67.89) port 443 (#0)
* ALPN: offers h2 * ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem * CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: C=US; ST=New York; L=New York; O=DigitalOcean, LLC; CN=*.sfo3.digitaloceanspaces.com
* start date: Dec 9 00:00:00 2022 GMT
* expire date: Jan 2 23:59:59 2024 GMT
* subjectAltName does not match myhost.mysub.mydomain.com
* SSL: no alternative certificate subject name matches target host name '[myhost.mysub.mydomain.com](http://myhost.mysub.mydomain.com/)'
* Closing connection 0
curl: (60) SSL: no alternative certificate subject name matches target host name '[myhost.mysub.mydomain.com](http://myhost.mysub.mydomain.com/)'
More details here: [https://curl.se/docs/sslcerts.html](https://curl.se/docs/sslcerts.html)
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
What am I doing wrong? What can I do to make it work?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.
Get started for free
Enter your email to get $200 in credit for your first 60 days with DigitalOcean.
New accounts only. By submitting your email you agree to our Privacy Policy.
… and here’s the answer:
My
myhost.mysub.mydomain.comCNAME record is supposed to point to the CDN endpoint’s hostname, which is likemybucket.sfo3.cdn.digitaloceanspaces.com. After I did that, it just worked. :-)