Need an explainer for ssl cert on spaces (one that won't make my head hurt).

Posted May 10, 2021 349 views
DigitalOcean Spaces

I am baffled about how to create an ssl cert on one of my servers but use it on the subdomain for spaces. If I create a DNS entry for so Certbot can find it and issue an SSL cert. By definition, I am defining that my server’s IP is responsible to respond for that URL. How can I then copy that cert to the Spaces API and expect that it will now be responding for that subdomain? Would I not need to change my DNS to have a CNAME for the subdomain to point to CDN URL? If I do that how will I be able to then have Certbot find the original server to update my ssl cert after 90 days. I am befuddled. I anyone can explain this to me I would greatly appreciate it.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

Hi there,

It would indeed work as you described it, but if you do it that way, you would need to manually reissue the certificate every 90 days and again manually add the updated certificate to your account.

What you could do instead is to use the SSL automation provided by DigitalOcean. For that you would need the following:

  • You need to have your Domain name added to your DigitalOcean account
  • You would need to be using the DigitalOcean nameservers.
  • Then after that, as you mentioned, add a CNAME record for the subdomain name you want to use and point it to your Space.
  • Then go to Settings -> Security -> Click on Add Certificate and choose your domain name followed by the subdomain that you will use for your space and click on generate.

That way you will not have to worry about manually issuing and updating your SSL certificate every 90 days.

In case that you need it, you can find the documentation here.

Let me know if you have any questions.

  • The bring your own certificate is not really an option if you use Let’s encrypt. You would have an outage of the service every time you had to point the domain back to the original box to update the cert. Even on an annual cert it would be downtime.

    Moving DNS is not an option since we just moved it to a DO partner CloudFlare for their services. The reason I was trying to use a custom domain name was due to SSL errors on the CDN. Turns out it was due to me using a name with a “.” in it. This caused the url to look like a sub-sub domain and broke the cert. I have since created a new bucket without the period and SSL is working fine.

    Thanks for your response I’m sure it will be helpful for the next person who runs into this.

    Much Appreciated.