Sometimes its the obvious stuff that trips you up. That’s what happened to me when I decided to move my personal website (this one) to an S3 bucket hosted by Linode Object Storage (cert were difficult to maintain). The site worked fine, but every time I tried to set my SSL certificates for the bucket, I got a cryptic error:

Certificate is not valid for the bucket name. Verify the bucket name is covered by the SANs and/or CN.

This error nearly drove me mad. I was using the certbot application from LetsEncrypt, and I struck my head against this problem for nearly six hours over the course of four days.

Finally, in a moment of clarity, I noticed in the Linode documentation it said the bucket must be labelled after your fully qualified domain name.

TL;DR

Your S3 bucket MUST be named after the domain from which you wish to serve your static site.

Side Note

Linode maintains their own certificate for their object storage instance, so targetting the core url ([bucket].website-[cluster].linodeobjects.com) with certbot will fail. Just stick to one domain name.