Question

Replacing SSL certificate for Spaces CDN

I’m using the bring-my-own-certificate feature of the Spaces CDN. The certificate currently installed expires soon, so I have generated a replacement for it. I have installed the new certificate under Account -> Security, and it shows up there just fine.

When I go to choose the new certificate under the Spaces CDN settings, I simply get “Server Error”.

After some back-and-forth with Digital Ocean Support, the answer they gave me is that they don’t support having two certificates with the same hostname. The solution they say is to wait until the old certificate totally expires, then delete it and add my new certificate, and configure the CDN with it.

This is an unacceptable solution to me, as this creates at least a few minutes of downtime. It is also unnecessarily risky… should something go wrong with the new certificate, I can’t just keep using the old one while I work out the problem.

I’m assuming that the support rep is incorrect. Otherwise, everyone using this feature would have to have some downtime whenever they need to update their certificate. Surely this system wasn’t designed this way, and that there’s some other way to update the certificate.

Has anyone else ran into this problem and/or solved it?


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

The latest from support:

Thank you for contacting DigitalOcean Support. While I do agree with you that supporting multiple certificates on a single hostname would be ideal it is unfortunately not implemented yet. Please keep in mind the platform is still fairly new and is constantly being updated. We can forward this feature request to our engineering teams for you.

Looks like this isn’t possible for now.

It works for me. I use the “Bring your own cert” feature - things may be different if you use DO for your certificates.

Log in.

Click Settings.

Add a certificate.

In the dialog that pops up, remember that the Certificate Name you’re entering is NOT the Common Name of the certificate (i.e. your domain or subdomain). It’s a “friendly name” that allows you to identify the cert in DO’s control panel. DO will read the CN field from your cert.

I usually name my certificates something like ssl-mydomaindotcom-2020-01-01 where 2020-01-01 is the date I created the cert. I use Let’s Encrypt, but I manually generate the certs using certbot… but since it’s an LE cert, I know it expires three months from the date I generate it, which is why I include the date somewhere in the name.

Are you generating your certificates through DO, or generating them somewhere else and uploading them?

I don’t have any problems with my Spaces. Before my current Let’s Encrypt cert expires, I generate a new one, add it to my DO account, and tell the system to use the new one, instead of the old one. Later, when it’s safe to do so, I remove the old one from my account.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel