domain mapping sub site coming back with insecure warnings

Hello, I am using domain mapping on a multisite. I have ssl certificate on main site and am forcing https: I have the green padlock all clear on the main site and the sub site too when it is mapped as the original sub directory sub site. After mapping the domain with its own domain name, I first forced https but then when I visited the site using its new domain name, got the ssl security warnings saying the ssl security for the main site can't be used for this sub site. I then went back to the sub site dashboard and deleted the mapped domain and started over mapping it again this time with out forcing the https. Still getting the ssl security warnings.
What is my next step to resolve this? Incidentally, when the mapped domain showed up under mapped domains after selecting no https.....it still shows as https. see screen shot

  • Leslie

    Hello again, I fixed my problem but still need clarification. I went into the database and changed all the https to http only for the mapped domain. I left the original domain as https as I have a valid ssl certificate for the multisite. OKAY so now what happens when a user buys a ssl certificate for their new mapped domain on my network? They will probably need to notify me so I can go into the database and do the same thing I just did for their sub site except reverse it. change the http to https........ does that seem correct???? the reason I want to know is that I would like to give instructions to users on the admin dash about if they would like an ssl certificate etc..... they need to let me know so I can change the url's in the database.

  • Adam Czajczyk

    Hello Leslie,

    I hope you're well today and thank you for your question!

    The reason that you were getting "insecure" warning for mapped domains is that that you're most likely using a wild-card SSL certificate for your main domain and it's not a multi-domain certificate. You would need a multi-domain SSL certificate in order to handle your main site, sub-domains of original domain and mapped domains at once.

    As for SSL certs that users buy. Most hosting providers do not support multiple SSL certificates on the very same IP. An option to go here is either to use multi-domain SSL certificate however there's a downside: you would need to get it re-issued and re-installed everytime a new domain is added.

    Another option may be to go with SNI (Server Name Indication) which would allow you to use multiple certificates on the same IP but again - that's not supported by all hosting providers and I'd suggest getting in touch with your hosting tech staff and ask them whether they provide a way to use multiple SSL certs on the same account/IP.

    Best regards,
    Adam

  • Adam Czajczyk

    Hello Leslie!

    Thanks for your response. So if I purchase a multi-domain ssl certificate, it would cover everyone and I wouldn't have to worry about my host supporting multiple ssl certificates on the same ip?

    Yes and now. Yes because it will work for both your original domain and for mapped domain. No because it will only work for these domains that you indicated during certificate purchase. Therefore:

    If I purchase the multi-domain certificate, I would simply check force https on the domain mapping plugin and it would automatically work without having to mess with the database?

    Yes, for all the domains you include in that certificate, this should work. For example:

    - main site is "domain.com"
    - subsite A is "suba.domain.com" -> mapped "suba.org"
    - subsite B is "subb.domain.com" -> mapped "subb.org"
    - subsite C is "subc.domain.com" -> mapped "subc.org"

    The cert (that's to be specified during purchase) should then cover wild-card domain.com + suba.org + subb.org + subc.org. Such a certificate should work here, I think.

    Yet, assuming the certificate is already purchased and implemented and these all domains are SSL protected, then if you add

    - subsite D at "subd.domain.com" -> mapped "subd.org"

    then "subd.domain.com" will be protected but "subd.org" not becasue "subd.org" domain was not included in certificate.

    Some certificate providers allow you to buy a certificate e.g. valid for a year for 100 domains where you specify e.g. 10 domains at start and then are able to add more domains during certificate validity period. Such a certificate is then issued again and you need to upload it to your server. Some certificate providers however do not allow this and require additional payments for adding any new domains.

    In my previous post I also suggested checking whether your hosting provider supports SNI. This would allow you to install multiple "regular" (not multi-domain) certificates on the very same IP so e.g. you current certificate would cover your main site and it's sub-domains and then - if necessary - you could add additional certs for mappped domains (e.g. charging end-user additionally). This however depends solely on what your hosting provider is capable of providing you with.

    Best regards,
    Adam

  • Leslie

    Thanks for the detailed response. Does your answer at all change if I am using subdirectories example.com/username not sub domain as in your examples above. It seems so complex to add more domains as they come in etc. I am checking with my host provider about multi certs for one IP address...so in that scenario, my users would buy their own certificate or I would buy it for them, give me the key and I add it to my ip address and then go into the database and change the url to reflect the new https status.. No way to automate it with the plugin correct? or do I just check mark force https on the dash of the individual sub site and not go into the database or maybe both. force and make sure it's changed in the database? thanks.....just want to clarify all the choices in my mind.

  • Leslie

    Just got this info from wpengine, my new host about dedicated ip and SNI......... What do you think?

    At WP Engine, we use a technology called Virtual hosting; Virtual hosting ensures that the correct site is served based on the domain name being requested, even if the IP address the site points to hosts multiple domain names. Because of our use of Virtual hosting, there is no need for a dedicated IP address on your site.

    WP Engine does support SNI. While it is true that much older browsers do not support SNI, SSL for those browsers is no longer supported by WP Engine and many other hosting providers due to the POODLE vulnerability. Because SSL is not supported by those browsers, a dedicated IP is not required to have SSL function appropriately on all supported browsers. There are also no technical reasons why a dedicated IP would be required for an Extended Validation (EV) SSL certificate.

    For the plugin this will connect to the server IP, so not having a dedicated IP shouldn't be an issue when it comes to this either.

    If you have any additional questions or concerns please let us know!

    Thanks and have a great day,

  • Adam Czajczyk

    Hello Leslie!

    Does your answer at all change if I am using subdirectories example.com/username not sub domain as in your examples above

    This doesn't make much difference here. In case you didn't use mapped domain, you wouldn't even need a wild-card certificate for sub-folder based setup as sub-folder based setup could be handled with simplest standard SSL certificate.

    For sub-domain setup with no mapped (additional) domain, the wild-card certificate is needed but that's a scenario also quite common and there's plenty of certificates available on the market for this.

    However, regardless whether your setup is sub-domain or sub-folder based, mapped domains make a difference.

    That said, I think that replay from WP Engine - as far as I understand it - gives you a "green light". As they claim they support necessary technology, I think you should be good to go, meaning that you should be able to use either Multidomain SSL certificate or just add additional single certificates for your mapped domains "on the go".

    I'd agree with them that the plugin should handle this well. Actually, the thing is that the plugin (Domain Mapping) doesn't have much to do with SSL certificates and it doesn't "care" how the certification is implemented as long as the server is handling it. SSL certificates are implemented on server level and the only thing Domain Mapping may be doing would be to "force" traffic from "http://" to "https://". Yet, "secure/not secure" warning is purely a "browser <--> server" connection thing.

    Having said that all, I think you're good to go with multiple single domain (standard) certificates. Most likely however, you will want to ask your host for some more details on how to add them to your server.

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.