Question

Replacing SSL certificate for Spaces CDN

I’m using the bring-my-own-certificate feature of the Spaces CDN. The certificate currently installed expires soon, so I have generated a replacement for it. I have installed the new certificate under Account -> Security, and it shows up there just fine.

When I go to choose the new certificate under the Spaces CDN settings, I simply get “Server Error”.

After some back-and-forth with Digital Ocean Support, the answer they gave me is that they don’t support having two certificates with the same hostname. The solution they say is to wait until the old certificate totally expires, then delete it and add my new certificate, and configure the CDN with it.

This is an unacceptable solution to me, as this creates at least a few minutes of downtime. It is also unnecessarily risky… should something go wrong with the new certificate, I can’t just keep using the old one while I work out the problem.

I’m assuming that the support rep is incorrect. Otherwise, everyone using this feature would have to have some downtime whenever they need to update their certificate. Surely this system wasn’t designed this way, and that there’s some other way to update the certificate.

Has anyone else ran into this problem and/or solved it?

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

The latest from support:

Thank you for contacting DigitalOcean Support. While I do agree with you that supporting multiple certificates on a single hostname would be ideal it is unfortunately not implemented yet. Please keep in mind the platform is still fairly new and is constantly being updated. We can forward this feature request to our engineering teams for you.

Looks like this isn’t possible for now.

It works for me. I use the “Bring your own cert” feature - things may be different if you use DO for your certificates.

Log in.

Click Settings.

Add a certificate.

In the dialog that pops up, remember that the Certificate Name you’re entering is NOT the Common Name of the certificate (i.e. your domain or subdomain). It’s a “friendly name” that allows you to identify the cert in DO’s control panel. DO will read the CN field from your cert.

I usually name my certificates something like ssl-mydomaindotcom-2020-01-01 where 2020-01-01 is the date I created the cert. I use Let’s Encrypt, but I manually generate the certs using certbot… but since it’s an LE cert, I know it expires three months from the date I generate it, which is why I include the date somewhere in the name.

Are you generating your certificates through DO, or generating them somewhere else and uploading them?

I don’t have any problems with my Spaces. Before my current Let’s Encrypt cert expires, I generate a new one, add it to my DO account, and tell the system to use the new one, instead of the old one. Later, when it’s safe to do so, I remove the old one from my account.

If keeping the custom certificates updated is still actual, I have built this solution https://github.com/thelebster/do-cert-renew.