How can we add Let's Encrypt SSL support to our mapped domains?

Searching through the forums, there is a lot of information here and there about incorporating Let's Encrypt SSL support. Some of these touch on server configuration, some of these touch on cPanel, but almost all of them are Pre-March 2018 - a time when LE has changed a lot and now offers wildcard support.

Can we have a formal, universal, up to date guide please on how to integrate Let's Encrypt with our Pro Sites? (If this already exists or is in progress can we get a link?)

Here is the scenario I need to cover, but I think this would be the case for all of us who are running a multisite with Pro Sites and WPMU Domain Mapping.

-- A user signs up for a site and gets a sub domain site to start building: clientsite.examplenetwork.com. At this point, LE supports wildcards so here we should have SSL support immediately after sign up, automatically
(Question #1 is, how do we set this up?).

-- client then finishes building site. Client has option to use Pro Sites and Domain Mapping to map their own TLD when ready - http://www.clientsite.com.
(Question #2: What steps can client take to make sure mapped domain is covered by SSL?)

Things really start to get confusing for me there in Step 2. I don't want to have to go into the server each time I setup a client site and manually add a vhost as this is counter productive to allowing the client to do this themselves when ready.

Is this possible? If so how would we configure this? If this is not possible, and I have to go in and create a vhost file, then what would those steps be?

A lot of information in the earlier threads discuss cPanel. But many of us like myself are not using cPanel, but using certbot via the command line, so it would be great if a guide / solution covered both.

Thanks!

References:
https://premium.wpmudev.org/forums/topic/mapped-domains-on-multisite-ssl-lets-encrypt

https://premium.wpmudev.org/forums/topic/worked-for-me-lets-encrypt-ssl-on-multisite-domains-mapped-to-sub-domains-using-domain-mapping

https://community.letsencrypt.org/t/wordpress-multisite-possible-to-configure-letsencrypt-without-separate-apache-files/51916/3

  • Fabio Fava

    Hey blue

    As far as I know (and I don't know much), SSL is more a server-side institution. So it's probably something your Hosting Provider should offer to you as their customer. Pretty much any modern Hosting Provider offers this on their cPanels or other Server Management Interface.

    Now with Lets Encrypt offering Wildcard SSL Certs (wich will take some time to get implemented by all Hosting Providers), things will start to get very cool on this subject. Auto-Renew is also there!

    Hope it helps, cheers!

  • Huberson

    Hello blue
    SSL certificate is something that must be configured on the server and can't be managed by Pro Sites or Domain Mapping. And it's as Fabio Fava said, this has to be provided by your hosting or DNS registrar.

    To answer your questions:

    -- A user signs up for a site and gets a sub domain site to start building: clientsite.examplenetwork.com. At this point, LE supports wildcards so here we should have SSL support immediately after sign up, automatically
    (Question #1 is, how do we set this up?).

    You will need to setup a wildcard SSL for the network domain(*.examplenetwork.com) from your hosting server/DNS, that will automatically cover all sub-domains.
    You can have a look at this article for getting wildcard SSL for the multisite domain with certbot:
    https://www.codementor.io/slavko/generating-letsencrypt-wildcard-certificate-with-certbot-hts4aee8u

    -- client then finishes building site. Client has option to use Pro Sites and Domain Mapping to map their own TLD when ready - http://www.clientsite.com.
    (Question #2: What steps can client take to make sure mapped domain is covered by SSL?)

    It's a completely different domain(www.clientsite.com.) from your network domain(examplenetwork.com) and requires separate SSL certifacate. The client will have to setup SSL for his own domain from whoever party the domain was purchased.

    Regarding setting up vhost, that' s not required. Pro Sites should take care of that. But for mapping the clients' domain in step 2, they will need to setup a wildcard DNS that points to your server IP address, and Domain Mapping will do the rest.
    More details on the mapping can be found from Domain Mapping usage guide

    Do let us know if you have more questions or more info needed on this.

    Regards,
    Huberson

  • blue

    Actually, I am "the hosting provider." I manage an Ubuntu server. As I mentioned in the ticket many people do not use cPanel. I am one of those people, and I can't switch gears now. I'm very comfortable managing LE SSL certificates in a normal environment via the command line. But Pro Sites with WPMU Domain Mapping is not a normal environment.

    My goal here is to rally those interested in this along with the WPMU team and we get together a comprehensive, if not official, set of instructions as to how to do this. In 2018, given the Let's Encrypt goals of 100% SSL coverage for the web and given the evolution of Google and other search engines giving preferences to SSL covered sites, it feels like this should be a natural part of the process of setting up a Pro Sites environment.

    In fact, I'd go so far to say that it already is implemented as part of WPMU core projects.

    I setup an edublogs site. From start to finish, edublogs has SSL encryption. When I was done, my subdomain, mysite.edublogs.com, automatically had SSL coverage (see the screenshot)

    So my question to the WPMU Dev team is, because edublogs is powered by the same technology we're using from WPMUDev, how do we set it up to be the same? I saw a couple times mentioned in the guide that Tyler Postle and the Dev team was putting together a guide (whether it's for LE or not.) Am I correct in that and if so is that available to review or contribute to? On a side note, this feels like a good wiki project.

  • blue

    Ok, after MUCH research I've come up with Part 1 of getting this done, meaning, Here is how to get WildCard Let's Encrypt certificates on your server. This is for a Linux command like interface, not Plesk / cPanel or any type of web interface (although after I hope to put something like that together.)

    If you're running Ubuntu, or really any flavor of Linux and use the command line, this is for you. Also this is for Apache 2.4, but the steps are almost identical for Nginx

    Let's Encrypt certbot and cerbot-auto are still being packaged for use with the various flavors of linux, so at the time of this writing, they cannot be used to get wildcards for your linux server without jumping through a few hoops. (although that will change very soon.)

    There is a git project called ACME.SH however that has been developed to very easily do this and automatically issue renewals. Here is a link to the project on github:

    https://github.com/Neilpang/acme.sh

    The instructions there are pretty clear on how to do this, but here are my EXACT step by step instructions with command line output so you can see exactly what's happening. I did this for my domain name https://toursoft.co. You can do this for your commandline, but you just need to change toursoft.co to YOUR domain name. You have to issue two commands to get this to work (after you download and install the script of course. Follow the instructions on the github page or ask me here. Remember, you will also need to create your DNS API Credentials file before this. Again, in the github instructions, but I'll try to flesh this out here later)

    sudo ./acme.sh --issue -d toursoft.co -d '*.toursoft.co' --apache --dns dns_cf
    
     ... command output ...
    [Mon Apr  9 20:15:11 UTC 2018] Checking if there is an error in the apache config file before starting.
    [Mon Apr  9 20:15:11 UTC 2018] OK
    [Mon Apr  9 20:15:11 UTC 2018] JFYI, Config file /etc/apache2/apache2.conf is backuped to /home/tbadmin/.acme.sh/apache2.conf
    [Mon Apr  9 20:15:11 UTC 2018] In case there is an error that can not be restored automatically, you may try restore it yourself.
    [Mon Apr  9 20:15:11 UTC 2018] The backup file will be deleted on success, just forget it.
    [Mon Apr  9 20:15:11 UTC 2018] Creating domain key
    [Mon Apr  9 20:15:12 UTC 2018] The domain key is here: /home/tbadmin/.acme.sh/toursoft.co/toursoft.co.key
    [Mon Apr  9 20:15:12 UTC 2018] Multi domain='DNS:toursoft.co,DNS:*.toursoft.co'
    [Mon Apr  9 20:15:12 UTC 2018] Getting domain auth token for each domain
    [Mon Apr  9 20:15:12 UTC 2018] Getting webroot for domain='toursoft.co'
    [Mon Apr  9 20:15:12 UTC 2018] Getting webroot for domain='*.toursoft.co'
    [Mon Apr  9 20:15:12 UTC 2018] Verifying:toursoft.co
    [Mon Apr  9 20:15:15 UTC 2018] Pending
    [Mon Apr  9 20:15:17 UTC 2018] Pending
    [Mon Apr  9 20:15:19 UTC 2018] Pending
    [Mon Apr  9 20:15:21 UTC 2018] Pending
    [Mon Apr  9 20:15:23 UTC 2018] Pending
    [Mon Apr  9 20:15:26 UTC 2018] Pending
    [Mon Apr  9 20:15:28 UTC 2018] Pending
    [Mon Apr  9 20:15:30 UTC 2018] Pending
    [Mon Apr  9 20:15:32 UTC 2018] Pending
    [Mon Apr  9 20:15:34 UTC 2018] Success
    [Mon Apr  9 20:15:34 UTC 2018] *.toursoft.co is already verified, skip dns-01.
    [Mon Apr  9 20:15:35 UTC 2018] Verify finished, start to sign.
    [Mon Apr  9 20:15:51 UTC 2018] Cert success.
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    [Mon Apr  9 20:15:51 UTC 2018] Your cert is in  /home/tbadmin/.acme.sh/toursoft.co/toursoft.co.cer
    [Mon Apr  9 20:15:51 UTC 2018] Your cert key is in  /home/tbadmin/.acme.sh/toursoft.co/toursoft.co.key
    [Mon Apr  9 20:15:51 UTC 2018] The intermediate CA cert is in  /home/tbadmin/.acme.sh/toursoft.co/ca.cer
    [Mon Apr  9 20:15:51 UTC 2018] And the full chain certs is there:  /home/tbadmin/.acme.sh/toursoft.co/fullchain.cer

    Second command (specific to apache. see github page for nginx)

    sudo ./acme.sh --install-cert -d toursoft.co --cert-file /etc/letsencrypt/live/toursoft.co/cert.pem --key-file /etc/letsencrypt/live/toursoft.co/privkey.pem --fullchain-file /etc/letsencrypt/live/toursoft.co/fullchain.pem --reloadcmd "sudo service apache2 force-reload"
    [Wed Apr 11 23:17:21 UTC 2018] Installing cert to:/etc/letsencrypt/live/toursoft.co/cert.pem
    [Wed Apr 11 23:17:21 UTC 2018] Installing key to:/etc/letsencrypt/live/toursoft.co/privkey.pem
    [Wed Apr 11 23:17:21 UTC 2018] Installing full chain to:/etc/letsencrypt/live/toursoft.co/fullchain.pem
    [Wed Apr 11 23:17:21 UTC 2018] Run reload cmd: sudo service apache2 force-reload
    [Wed Apr 11 23:17:22 UTC 2018] Reload success

    After this, you'll need to update your apache2.conf file or your virtual host file to include the cert / key directories above.

    And that's it! You will then have all of your Pro Sites subdomains fully covered by SSL from Let's Encrypt! This thread will be a work in progress. I'm working with a couple developers to create a php script that hooks into domain mapping and issues a script automatically when someone maps their domain name. Stay tuned!

  • wp.network

    blue +1 for collaboration :clap:

    To be clear, coding is not really my thing - so sadly, I probably can't help write the script.
    However, I can hopefully help with the effort in other ways :slight_smile:

    ...I also run my own server, however I use cPanel and acme.sh --> see this re cpanel_uapi

    Also, I use the WPMUDEV Domain Mapping plugin but do not use Pro Sites.
    (and, fwiw, I use wp-multi-network to run multiple networks)

    I am most interested in an integration with DM that will work with acme.sh at my cPanel server - it seems like the cPanel integration is a component/feature that could be an option and also an option for (apache?) with no control panel.

    So, wildcard certificates from LE are great! And actually, I'm also interested in the option to have the Domain Mapping integration allow user to make a wildcard certificate for their site.

    However, I'd happily settle for the ability to cover just their apex domain and specific subdomains (eg. www, stage, dev) - one big Q is if the SAN certificate is issued per site covering only its specific set of subdomains, or if its worth a more complex arrangement to try to decrease the total number of certificates by increasing number of names per SAN certificate (eg. check back in an hour and your site should be live) by using some sort of queue and cron?
    (see: https://github.com/humanmade/Cavalcade)

    I can also point to this awesome little plugin from a WPMUDEV member, both because of its cPanel integration and just to show how it integrated with DM:
    https://hostmijnpagina.nl/hmp/plugins/autoparkdomain.zip
    https://premium.wpmudev.org/forums/topic/new-unofficial-plugin-domain-mapping-autopark-in-cpanel

    ...for not using a control panel approach, I will also mention that I've heard a lot of good things about ServerPilot's API for this use... I just haven't found any one who has already solved this and is willing to share source code - which is cool, I'm not hatin' :slight_smile:

    I'm just really interested in having a solution, I'm not really coder enough to build it all by myself, and I happen to like the idea of a solution that will be openly accessible to folks running multisite networks, not least because ubiquitous https adoption is just generally important for the interwebs. (perhaps the project can be hosted at github?)

    Let me know how your efforts have gone, where you think work needs to be done... if you're still aiming at this. Cheers, Max

    also, if you like, you can send me your email via https://premium.wpmudev.org/pro/max-fein/

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.