Digitalocean CDN, custom domain and Cloudflare SSL

Hey!
We use Digitalocean’s spaces with enabled CDN to keep static files. And we decided to try a custom domain. To do that, I have created an Origin SSL certificate in my Cloudflare Dashboard and loaded it to the DO. Then I just applied it to CDN’s custom domain. Also, I have created a CNAME record: cdn.my.domain → DO’s Edge URL.
So far looks good, but:
While I can reach my files with new name via HTTP, HTTPS doesn’t work and I see that error:

  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS alert, handshake failure (552):
  • error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
  • Closing connection 0
    curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

I have tried to:

  1. add Cloudflare Origin CA root certificate to DO;
  2. enable SSL Full (strict).
  3. checked cert and key with openssl, they are valid.
    Nothing works.
    Have anyone seen such an error? Any ideas what might be wrong?

Looks like a similar discussion here, Cloudflare trying to use SSLv3?

If you disable TLS 1.3 does the error persist?

I can disable TLS 1.3 only globally in Cloudflare (no such options in DO Spaces). I will try.

Added:
Well, yes, same with 1.2:

  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/cert.pem
    CApath: none
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS alert, handshake failure (552):
  • error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
  • Closing connection 0
    curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

According to the DO’s support:
" The reason that you are getting this error is due to a policy by Cloudflare. They do not allow for 3rd level domains to work with their free SSL certificates. So if you created main.example.com it would work without issue. But the moment you add another level to the domain - cdn.main.example.com - it will not work. The only way to get it to work is to purchase a dedicated SSL from Cloudflare."
Can someone confirm that?

This is the case – Cloudflare doesn’t allow “deep” subdomains for non-paid customers.

1 Like

I see… Is that feature available on “20/mo” plan? Or maybe it can be bought separately?

With the $10/month ACM (Advanced Certificate Manager), you can manually add deep hostnames to a certificate.

https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager

6 Likes

Thanks for all your help! I have just created a new custom domain like cdn.example.com and everything works!

1 Like

To clarify, this is because it would require, literally, unlimited certificates for doing this…. *.*.example.com isn’t a possible hostname that can be added to a certificate, it’s simply not accepted by anyone.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.