Question

Replacing SSL certificate for Spaces CDN

I’m using the bring-my-own-certificate feature of the Spaces CDN. The certificate currently installed expires soon, so I have generated a replacement for it. I have installed the new certificate under Account -> Security, and it shows up there just fine.

When I go to choose the new certificate under the Spaces CDN settings, I simply get “Server Error”.

After some back-and-forth with Digital Ocean Support, the answer they gave me is that they don’t support having two certificates with the same hostname. The solution they say is to wait until the old certificate totally expires, then delete it and add my new certificate, and configure the CDN with it.

This is an unacceptable solution to me, as this creates at least a few minutes of downtime. It is also unnecessarily risky… should something go wrong with the new certificate, I can’t just keep using the old one while I work out the problem.

I’m assuming that the support rep is incorrect. Otherwise, everyone using this feature would have to have some downtime whenever they need to update their certificate. Surely this system wasn’t designed this way, and that there’s some other way to update the certificate.

Has anyone else ran into this problem and/or solved it?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

The latest from support:

Thank you for contacting DigitalOcean Support. While I do agree with you that supporting multiple certificates on a single hostname would be ideal it is unfortunately not implemented yet. Please keep in mind the platform is still fairly new and is constantly being updated. We can forward this feature request to our engineering teams for you.

Looks like this isn’t possible for now.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

It works for me. I use the “Bring your own cert” feature - things may be different if you use DO for your certificates.

Log in.

Click Settings.

Add a certificate.

In the dialog that pops up, remember that the Certificate Name you’re entering is NOT the Common Name of the certificate (i.e. your domain or subdomain). It’s a “friendly name” that allows you to identify the cert in DO’s control panel. DO will read the CN field from your cert.

I usually name my certificates something like ssl-mydomaindotcom-2020-01-01 where 2020-01-01 is the date I created the cert. I use Let’s Encrypt, but I manually generate the certs using certbot… but since it’s an LE cert, I know it expires three months from the date I generate it, which is why I include the date somewhere in the name.

Are you generating your certificates through DO, or generating them somewhere else and uploading them?

I don’t have any problems with my Spaces. Before my current Let’s Encrypt cert expires, I generate a new one, add it to my DO account, and tell the system to use the new one, instead of the old one. Later, when it’s safe to do so, I remove the old one from my account.

If keeping the custom certificates updated is still actual, I have built this solution https://github.com/thelebster/do-cert-renew.