AutoSSL & Domain Mapping

We are using AutoSSl using cPanel (powered by Comodo) couple of questions:

1. What are the right settings for "force https in login and admin pages"
2. Do we need a wildcard SSL

Thanks, Dan

  • viobru

    Hi, realdude!

    Hope you’re doing great today :slight_smile:

    1. What are the right settings for "force https in login and admin pages"
    You should force https in login and admin pages ONLY if you have an SSL certificate installed on ALL them. As long as the SSL cert is installed correctly, then you can force SSL on all the original domains.

    If you don’t plan to install the SSL on all of them, then it might be easier to set this option to "No", so no forcing of any kind happens, and to use this plugin instead to force this on a per site basis: https://wordpress.org/plugins/wordpress-https/

    Just keep in mind, if using this other plugin, to set the domain mapping forcing options to "No", otherwise you will likely get redirect errors.

    2. Do we need a wildcard SSL
    You will need to have a wildcard SSL certificate on the main domain (multisite) if subsites (subdomains) need to have HTTPS, ie, if you want to have HTTPS enabled on subsites too.

    Apart from that, please note that the different domains used for mapping the subsites will require their own SSL certificate because the main domain wildcard will NOT cover them.

    Hope this helps! :slight_smile:

    Kind regards,

    Violeta

  • wp.network

    realdude viobru for wildcards at cPanel, acme.sh works well. see https://github.com/Neilpang/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel

    (note: from at least current LTS version, cPanel autoenables OSCP stapling, so with acme.sh you can use --oscp-must-staple (and ymmv, also maybe use --ecc) see https://github.com/Neilpang/acme.sh/wiki/Options-and-Params

    also see https://documentation.cpanel.net/display/CKB/The+SSL+Installation+and+Precedence+Logic
    https://documentation.cpanel.net/display/EA4/Modify+Apache+Virtual+Hosts+with+Include+Files

    also ymmv: once your wildcard cert is installed and everything is tested and working, here are a few handy tools I use:

    - in .htaccess, above the #WordPress block you should be able to copy-paste this

    ### BEGIN ENABLE CORS on images
    <IfModule mod_setenvif.c>
      <IfModule mod_headers.c>
        <FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
          SetEnvIf Origin ":" IS_CORS
          Header set Access-Control-Allow-Origin "*" env=IS_CORS
        </FilesMatch>
      </IfModule>
    </IfModule>
    ### END ENABLE CORS on images
    
    ### BEGIN IMAGE HTTPS FIX
    <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css)$">
      <IfModule mod_headers.c>
        Header set Access-Control-Allow-Origin "*"
      </IfModule>
    </FilesMatch>
    ### END IMAGE HTTPS FIX
    
    RewriteEngine On
    RewriteBase /
    
    ### BEGIN HTTPS Catch-All
    <IfModule rewrite_module>
      #RewriteCond %{HTTP:X-Forwarded-Proto} https [NC]
      #RewriteRule ^ - [S=1]
      RewriteCond %{SERVER_PORT} 80
      RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(?:.*)\ HTTP/ [NC]
      RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
    </IfModule>
    ### END HTTPS Catch-All

    (assuming some things, eg. htaccess above), then to address new subsite scheme, you can copy-paste this to mu-plugin file

    <?php
    /**
     * Fixes SITEURL and HOME scheme
     * if server is properly configured, expected result always https scheme in SITEURL and HOME
     * @see https://www.lyquidity.com/devblog/?p=427
     **/
    // Basic security, prevents file from being loaded directly.
    defined( 'ABSPATH' ) or die( 'Cheatin’ uh?' );
    
    function max_fix_home_option($option)
    {
    	// If the option starts with 'http' strip it
    	if (strpos($option, 'http') !== false)
    	{
    		$pos = strpos($option, ':');
    		$option = substr($option, $pos + 1);
    	}
    
    	// Otherwise add 'http' or 'https' as appropriate
    	$option = (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === "off" ? "http:" : "https:") . $option;
    	return $option;
    }
    
    add_filter('option_home', 'max_fix_home_option');
    add_filter('option_siteurl', 'max_fix_home_option');

    Also, fwiw, I've been think that I'm going to make a cPanel integration plugin for wpmudev Domain Mapping plugin to create/delete addon domains upon domain map actions with the goal of using AutoSSL for mapped domains... will try to update here when I get it working if you're interested :slight_smile:

    Cheers, Max

    • wp.network

      Caveat re. above: if your cPanel primary domain is the same as your WP network primary site domain, then there is a problem with AutoSSL when you install a wildcard certificate for firstlevel subdomain... this is because cPanel has feature to automatically install the 'best available certificate' upon new addon creation, and since by default addons are made so that their vhost is essentially like

      ServerName addon.cpanelprimary.tld
      Alias addon.tld ...

      then the wildcard certificate gets installed because it matches the servername value... but then AutoSSL won't issue an new certificate to cover the addon domain because it won't uninstall/replace the valid, non-AutoSSL wildcard certificate... after the wildcard certificate is uninstalled from the addon vhost then AutoSSL will run as expected... there are workarounds to allow AutoSSL to succeed automatically (not needing a manual touch) for addon domains: best is probably to just create addon domains using at least secondlevel subdomains, eg. basically like
      addon.tld$X.cpanelprimary.tld
      (where $X is replaced by some value you chose)

      this is also useful for testing results of cPanal/apache sorting logic: check
      # httpd -S
      really though, there can be a bit more to it and this stuff should be carefully planned, after plenty of time reading the documentation (eg. http://httpd.apache.org/docs/2.4/vhosts/details.html) - if anyone has Qs I'm happy to help if I have the time, otherwise normal rates apply :wink:
      Cheers, Max

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.