Question

Replacing SSL certificate for Spaces CDN

Posted September 23, 2019 1.3k views
DigitalOcean

I’m using the bring-my-own-certificate feature of the Spaces CDN. The certificate currently installed expires soon, so I have generated a replacement for it. I have installed the new certificate under Account -> Security, and it shows up there just fine.

When I go to choose the new certificate under the Spaces CDN settings, I simply get “Server Error”.

After some back-and-forth with Digital Ocean Support, the answer they gave me is that they don’t support having two certificates with the same hostname. The solution they say is to wait until the old certificate totally expires, then delete it and add my new certificate, and configure the CDN with it.

This is an unacceptable solution to me, as this creates at least a few minutes of downtime. It is also unnecessarily risky… should something go wrong with the new certificate, I can’t just keep using the old one while I work out the problem.

I’m assuming that the support rep is incorrect. Otherwise, everyone using this feature would have to have some downtime whenever they need to update their certificate. Surely this system wasn’t designed this way, and that there’s some other way to update the certificate.

Has anyone else ran into this problem and/or solved it?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
4 answers

The latest from support:

Thank you for contacting DigitalOcean Support. While I do agree with you that supporting multiple certificates on a single hostname would be ideal it is unfortunately not implemented yet. Please keep in mind the platform is still fairly new and is constantly being updated. We can forward this feature request to our engineering teams for you.

Looks like this isn’t possible for now.

If keeping the custom certificates updated is still actual, I have built this solution https://github.com/thelebster/do-cert-renew.

I don’t have any problems with my Spaces. Before my current Let’s Encrypt cert expires, I generate a new one, add it to my DO account, and tell the system to use the new one, instead of the old one. Later, when it’s safe to do so, I remove the old one from my account.

  • Until I remove the old cert, I can switch between the two freely.

  • I don’t see how. When I try to add an updated cert, I get “Name must be unique” when trying to enter the domain name unless I remove the old one first, thus interrupting service.

    Like the BradIsbell reported, multiple certificates (e.g. newer and older) for the same domain isn’t supported.

Show answer This answer has been marked as resolved by steve141358.
Submit an Answer