How to setup SSL for Mapped Domains

So I have a WP multi-site install setup on:

churchwebsitepress.org

We will be selling subsites to churches and of course want to allow them to setup a custom domain. We have all that setup and working.

The rub comes in where I want to plan for the future and allow them to be able to have an SSL certificate setup for each custom domain name.

Our hosting provider (SiteGround) is saying they won’t be able to support this. That each domain name with SSL will require a separate hosting account which obviously won’t work with WPMS.

Do you know of some hosting providers that do support the ability to setup WPMS with SSL enabled sub-sites?

Thanks!

  • wp.network
    • The Bug Hunter

    @pmsteil

    EuroVPS offers managed services, and can setup SNI no problems :slight_smile:

    MediaTemple (& many other hosts) offer SNI support on their VPS plans.

    SiteGround can do SNI also, but only on a dedicated server…

    That said, I am currently running tivism.com on a GoGeek plan at SG and have successfully used CloudFlare to run all subsites ( 1 | 2 | 3 ) with HTTPS (I do have a validated Wildcard SSL for tivism.com to secure admin, have been experimenting elsewhere with only self-signed certs).

    I am still testing the tivism network, but things are generally looking good (including a https mirror cdn also running through CF).

    If you’d like, I may be able to help you get set up at SG, or at least give you a few specific tips :slight_smile:

    use the contact form at

    https://premium.wpmudev.org/pro/max-fein/

    Cheers, Max

  • pmsteil
    • Site Builder, Child of Zeus

    Hey Max, thanks for your reply!

    Wait, are you saying that on SG you have WP multi-site setup on:

    https://tivism.com

    and then you have random domain names pointing to your wpms sub-sites like:

    domain1.com

    mydomain.com

    etc.com

    And you have these all working with SSL and without having to have them setup in the SG cpanel?

    Thx…

  • wp.network
    • The Bug Hunter

    And you have these all working with SSL and without having to have them setup in the SG cpanel?

    No. This requires manual setup for mapped domain/subsites.

    There is potential to automate portions of this (https://support.cloudflare.com/hc/en-us/articles/200169356-How-do-I-use-WordPress-Multi-Site-WPMU-With-CloudFlare-) but I have not gone there yet… since my networks are generally ‘closed’ rather than ‘open’ – meaning I only setup sites for paying clients, no open registration of free sites this isn;t such a big deal and though its fiddly, it is also harder to break :slight_smile:

    I have set up each site on the network to use four unique subdomains of tstatic.info to serve static resources in parallel (like the bunny picture on the pages now) and this step def. requires some manual set up.

    If you are looking for a totally ‘hands-off’ approach I think you’ll end up needing some custom development work done :slight_smile:

    That said, the important part is that mapped domains are served via https :slight_smile:

    https://tivism.net

    https://tivism.org

    https://wpmsnetwork.com

    https://wpmscloud.com

    etc.

    Part of the reason I use the original network address for admin/login is to enable use of CF page rules for aggressive caching of mapped domains.

    Also, fyi, it is possible to be using the CF Railgun in this setup: just turn on CF Free via the cpanel and activate Railgun, then deactivate and setup through CF directly :slight_smile:

    Also, to be sure, you are setting up the mapped domains as addons via cPanel in order to use/control SG varnish cache & memcached per subsite, yes?

    Hope this is helpful :slight_smile:

    Kind Regards, Max

  • pmsteil
    • Site Builder, Child of Zeus

    Max, very helpful!

    I am currently testing with CF to see if I can get the SSL part taken care of.

    I hadn’t thought about having to register the domains in SG to take advantage of their caching… hmm, that is a big point… thank you! I guess we may have to add them in cpanel manually…

    BTW, how many sites do you have running on your wpms setup?

    This is all very helpful… please contact me via email / skype:

    patrick@churchbuzz.org / pmsteil

    Thanks…

  • mightygeeks
    • Design Lord, Child of Thor

    So are you mapping multiple domain names to the same main WordPress site, or is each name mapped to a different sub-domain. The issue I’m trying to work out is SSL certificates for multiple sub-domains with a different domain name mapped to each sub-domain. Can anyone make a suggestion here for me?

  • pmsteil
    • Site Builder, Child of Zeus

    So I do have an SSL certificate setup with Cloudflare pointing to my test domain name:

    https://galilee.demochurch.org

    But the problem is that in the Domain Mapping plugin, I can only register the domain as:

    http://galilee.demochurch.org

    As you can see, if you bring up the http version the site works, but the https version doesn’t work. And if you look at the source you can see that the site is still trying to load all of its css/js/etc from the http resource instead.

    If I try to setup the https URL in the domain mapping tool, it won’t accept the SSL URL I think because the server itself isn’t setup for SSL and it is trying to verify the URL.

    1) is there somewhere in a db table where I can hack this to force it to use the https version at least for testing

    2) It would be awesome to have an option to “validate” the url or not…

    Your thoughts?

    Patrick

  • wp.network
    • The Bug Hunter

    Way to go @pmsteil :slight_smile:

    Personally, what I do is immediately after new site creation edit the SITEURL and HOME values via its settings page (it gives a handy 'edit' link after creation) – alternatively, straight in the db in wp_options – to use https instead of http – these two values are essentially the way that WP knows you want to use https…

    Also, to be sure, you have set up the mapping to use https as the protocol scheme, yes?

    When mapping, there is a drop-down menu to select scheme…

    Later, scheme can be toggled from the subsites' domain mapping page and via the mapped domains tab in the network admin domain mapping settings page – in both cases just click the little key icon to toggle the change…

    Also, this can be done in the db in wp_domain_mapping

    Hope this helps, glad to see you've made such awesome progress :slight_smile:

    Cheers, Max

  • pmsteil
    • Site Builder, Child of Zeus

    PortlandWP, thanks for the detailed reply with screenshots, they really helped…

    I was able to toggle to https://galilee.demochurch.org/ using the “key” icon (wow, that was intuitive :slight_smile:.

    I also set the siteurl and home settings to https://galilee.demochurch.org/

    And have tried this several times now, but when I try to bring up the url:

    https://galilee.demochurch.org/

    I just get a “redirect loop”…

    Anything else you can think of I need to try?

    Patrick

  • wp.network
    • The Bug Hunter

    The following might be useful fodder for your efforts if you use apache:

    There are currently (to my knowledge) at least some configurations of Domain Mapping wherein the frontend mapping redirect option is essentially broken – specifically when using HTTPS for all network including mapped domains.

    Setting the mapped fronted redirect to be disabled and to use address as entered as many consequences – among them are some potentially serious ‘duplicate’ content issues due to the same resources being accessible/indexable via more than ONE address…

    I have my networks set up to use the original network addresses for login/admin and the mapped address (if any) for frontend only.

    I have set my mapped domains to use the frontend mapping redirect setting ‘directed to mapped (primary) domain’.

    Because there are bugs with frontend domain mapping, at least in some configurations (affecting many things, including permalink addresses) I had to develop – with much awesome assistance – the htaccess rules below to deal with enforcing the redirects, including an allowance for previews at original network addresses.

    Since I also use CloudFlare, I had to add a page rule to allow for admin|login|previews as well (only for original network domain!).

    There are reasons for the way these rules are written, mostly trying to be sensitive to the ‘look & feel’ of the original subsite addresses on subdomain networks since that s the model I use for sites that clients/customers will see the backend addresses of… for my subdirectory networks I do not mind an original network address that looks a little funky, which makes it easy to do it all in less code…

    For the subdomain model, you would replicate the block that is in below rules that applies to .Com mapped addresses to address any other TLDs that you will be using. The trick is in making the original addresses match the expected pattern… so, if one wished to map the domain mapped.com then one creates the subsite mapped-secure-1.primary.tld and so on…

    htaccess for subdomain network, placed above stock WP rules:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    Options All -Indexes
    #BEGIN Remove 'www.' from all Requests
    RewriteCond %{HTTP_HOST} ^www.(.+)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
    #END Remove 'www.' from all Requests
    #BEGIN Frontend Address Control for Network Subsites with Mapped .Com
    RewriteCond %{REQUEST_URI} !^/?wp-(admin|content|includes|login) [NC]
    RewriteCond %{HTTP_HOST} ([^.]+)-secure-1.example.tld$ [NC]
    RewriteCond %{QUERY_STRING} !preview=true [NC]
    RewriteRule ^(.*)$ https://%1.com/$1 [R=301,L]
    #END Frontend Address Control for Network Subsites with Mapped .Com
    #BEGIN Frontend Address Control for Network Subsites with Mapped .Net
    RewriteCond %{REQUEST_URI} !^/?wp-(admin|content|includes|login) [NC]
    RewriteCond %{HTTP_HOST} ([^.]+)-secure-2.example.tld$ [NC]
    RewriteCond %{QUERY_STRING} !preview=true [NC]
    RewriteRule ^(.*)$ https://%1.net/$1 [R=301,L]
    #END Frontend Address Control for Network Subsites with Mapped .Net
    #BEGIN Author Profile Redirect
    RewriteRule ^/?author/ https://%{HTTP_HOST}/ [R=301,L]
    #END Author Profile Redirect
    #BEGIN Catch-All SSL Address Control
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
    #END Catch-All SSL Address Control
    </IfModule>

    For subdirectory networks, no further rules are needed as long as the original network addresses conform the following pattern:

    for mapping a domain mapped.tld create a subsite primary.tld/mapped-dot-tld

    htaccess for subdirectory networks, added above stock WP rules:

    <IfModule mod_rewrite.c>
    Options All -Indexes
    RewriteEngine On
    # BEGIN Remove 'www.' from all urls
    RewriteCond %{HTTP_HOST} ^www.(.+)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
    # END Remove 'www.' from all urls
    # BEGIN Custom Mapping for Subdirectory Subsites w/ Mapped Domain
    RewriteCond %{REQUEST_URI} !/?wp-(admin|content|includes|login) [NC]
    RewriteCond %{QUERY_STRING} !preview=true [NC]
    RewriteRule ^(.*)-dot-(.*)/(.*)$ https://$1.$2/$3 [R=301,L]
    # END Custom Mapping for Subdirectory Subsites w/ Mapped Domain
    #BEGIN Author profile redirect
    RewriteRule ^author/ https://%{HTTP_HOST}/ [R=301,L]
    # END Author profile redirect
    # BEGIN Catch-All SSL Address Control
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
    # END Catch-All SSL Address Control

    CloudFlare rule patterns for cache bypass rules:

    *example.tld/*wp-admin*
    *example.tld/*wp-login*
    *example.tld/*preview=true*

    This allows domain mapping with URL cannonicalization (meaning content only resolves via ONE url), but does NOT really address whatever is going on with the Domain Mapping plugin that is being buggy; it works because it just gets these redirects done essentially before they get to WP… its not a real solution though, imho, just a temp patch to move along with while we await the next DM release :slight_smile:

    These rules can be easily adapted to work with http networks – just remove the ‘s’ from all the instances of ‘https’ and delete the ‘Catch-All SSL Address Control’ rule block…

    To just have a way to force https for everything (for testing or whatever purpose) you can use just

    # BEGIN Catch-All SSL Address Control
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
    # END Catch-All SSL Address Control

    Hope this can be helpful, happy to answer any Qs :slight_smile:

    Cheers, Max

  • pmsteil
    • Site Builder, Child of Zeus

    Just read your long post re: setting up CF and htaccess rules… oh my… I am going to need your help on this… you obviously have battled through this already… would love to contract you for help.

    Please contact me directly and we can setup a time to meet and discuss what I need, etc

    Thanks!

    Patrick

  • wp.network
    • The Bug Hunter

    :slight_smile: this is tough stuff eh?

    1)

    I also change the “Domain” setting to the same domain

    I think you mean in the main site settings page at network>sites>edit>’info’ tab … first field labeled ‘Domain’ – correct?

    Do NOT change this (unless you mean to change the original subsite network address – note: if you do need to do this, it resets SITEURL & HOME to use http and you will need to make those edits again) – especially do not change this to the mapped address, thats redirect craziness…

    ONLY change the SITEURL and HOME values, and only change ‘http’ to ‘https’

    2) here are screenshots of my DM settings to round this all out :slight_smile:

    3) after you fix the DOMAIN value mentioned above (or just delete these test sites and start fresh!) then you’ll want to start obsessively clearing your browser cache as you make changes and test behavior…

    3a) I also always clear my local DNS cache too :slight_smile:

    win (run command as admin): ipconfig /flushdns

    mac: sudo killall -HUP mDNSResponder

    mac (10.6): sudo dscacheutil -flushcache

    If you are still getting a redirect loop, then odds are either your server has an issue or you’ve made a mistake somewhere… tear it down an do it better :slight_smile:

    Kind Regards, Max

  • wp.network
    • The Bug Hunter

    Just a note re:

    There is potential to automate portions of this…

    I have just started testing the TT CloudFlare WPMU Pro plugin available from http://stiofan.themetailors.com/tt/portfolio/tt-cloudflare-wpmu-plugin-pro/ and so far, it seems to work very well despite not having been updated in quite a while… so, thus far I’m feeling hopeful about it :slight_smile:

    $10 well spent!

    I am venturing a guess here… but I think that this awesome plugin is developed by @paoltaia and I’d just like to say ‘Thanks!’

    ( https://premium.wpmudev.org/forums/topic/cloudflare-1#post-177720 )

    Cheers, Max

  • wp.network
    • The Bug Hunter

    @mightygeeks

    There are alot of answers to this Q already present in this thread… if its not making any sense to you, then thats an indicator that you’ve either got quite a bit of reading and experimentation to do or that you’re going to need to get professional help to pull this off…

    1) If you are wanting to have full controll of the SSL certificates (ie. NOT relying on CloudFlare) I’d advise that you consider finding managed hosting that can offer support for SNI (Server Name Indication) … Many hosts can do this, including as mentioned above.

    2) If you’d like, I’m happy to offer to do a brief skype to help you scope your project (for in depth consulting we would need to discuss terms), let me know :slight_smile:

    Cheers, Max

  • wp.network
    • The Bug Hunter

    Additional resources re. regex & .htaccess:

    I highly recommend ‘Mastering Regular Expressions’ by J.Friedl if you want to really dive in :slight_smile:

    Perhaps more immediately focused would be R.Bowen’s ‘Definitive Guide to Apache mod_rewrite’

    edit: just remembered, he has a newer (slightly simpler) book in the works… read/fork the book ‘mod_rewrite And Friends’ at http://mod-rewrite.org/book/

    And an awesomely useful learning tool (free/donation) is Regex Coach

    http://www.weitz.de/regex-coach/

    For a simpler, more recipe-based resource, check out Jeff Starr’s ‘htaccess made easy’ at htaccessbook.com (attached is a free cheat sheet from Jeff’s book).

    Cheers, Max

  • wp.network
    • The Bug Hunter

    a note & some updated code:

    1) After creating a new subsite and editing SITEURL & HOME values, its a good idea to go to the subsite and save permalinks.

    2) The above .htaccess rules can be further optimzed, for instance I am now using the following:

    subdomains (wondering about ‘S=1’ – google how to use Skip rules in .htaccess)

    <IfModule mod_rewrite.c>
    RewriteEngine On
    Options All -Indexes
    #BEGIN Remove 'www.' from all Requests
    RewriteCond %{HTTP_HOST} ^www.(.+)$ [NC]
    RewriteRule ^.*$ https://%1/%{REQUEST_URI} [R=301,L]
    #END Remove 'www.' from all Requests
    #BEGIN Frontend Address Control for Network Subsites with Mapped .Com
    RewriteCond %{REQUEST_URI} !^/?wp-(admin|content|includes|login) [NC]
    RewriteCond %{HTTP_HOST} ([^.]+)-secure-1.example.tld$ [NC]
    RewriteCond %{QUERY_STRING} !preview=true [NC]
    RewriteRule ^.*$ https://%1.com/%{REQUEST_URI} [R=301,L,S=1]
    #END Frontend Address Control for Network Subsites with Mapped .Com
    #BEGIN Frontend Address Control for Network Subsites with Mapped .Net
    RewriteCond %{REQUEST_URI} !^/?wp-(admin|content|includes|login) [NC]
    RewriteCond %{HTTP_HOST} ([^.]+)-secure-2.example.tld$ [NC]
    RewriteCond %{QUERY_STRING} !preview=true [NC]
    RewriteRule ^.*$ https://%1.net/%{REQUEST_URI} [R=301,L]
    #END Frontend Address Control for Network Subsites with Mapped .Net
    #BEGIN Catch-All SSL Address Control
    RewriteCond %{HTTPS} !=on
    RewriteRule ^.*$ https://%{HTTP_HOST}/%{REQUEST_URI} [R=301,L]
    #END Catch-All SSL Address Control
    </IfModule>

    subdirectories

    <IfModule mod_rewrite.c>
    Options All -Indexes
    RewriteEngine On
    # BEGIN Remove 'www.' from all urls
    RewriteCond %{HTTP_HOST} ^www.(.+)$ [NC]
    RewriteRule ^.*$ https://%1/%{REQUEST_URI} [R=301,L]
    # END Remove 'www.' from all urls
    # BEGIN Custom Mapping for Subdirectory Subsites w/ Mapped Domain
    RewriteCond %{REQUEST_URI} !/?wp-(admin|content|includes|login) [NC]
    RewriteCond %{QUERY_STRING} !preview=true [NC]
    RewriteRule ^(.*)-dot-(.*)/.*$ https://$1.$2/%{REQUEST_URI} [R=301,L]
    # END Custom Mapping for Subdirectory Subsites w/ Mapped Domain
    # BEGIN Catch-All SSL Address Control
    RewriteCond %{HTTPS} !=on
    RewriteRule ^.*$ https://%{HTTP_HOST}/%{REQUEST_URI} [R=301,L]
    # END Catch-All SSL Address Control

    Kind Regards, Max

  • NYCWW
    • Site Builder, Child of Zeus

    Good afternoon, @WPMS.Network.

    I’m having a hard time following exactly what is meant to be modified in the .htaccess code you provided. My network site is mainsite.com. I have three mapped subsites–mapped1.com, mapped2.com and mapped3.net. I’m using subdomains (not sub-directories).

    Would you mind reposting your updated code using the above-referenced domain names in the code? This way we can see exactly what the code should look like when we’ve done it correctly.

    Thanks

    Here’s a link to a thread I had started on a related issue.

  • wp.network
    • The Bug Hunter

    @NYCWW yeah, this thread got a bit messy :slight_smile:

    The rules above are not perfect and you really shouldn’t be messing with ’em if you don’t have some preparation to understand what you’re doing… (though I sure learned from the ground up, and so can you!)

    While we did get @pmsteil’s network squared away, we did not use the rules above, it took some further modifications.

    It’d be best if you (and any future readers) start your own thread referring to this one as needed… you could add a link to your thread into your comment above or flag me with an @ to find the new thread :slight_smile:

    Cheers, Max

  • pmsteil
    • Site Builder, Child of Zeus

    Just an update that Max did indeed help us get things squared away. He is very knowledgable, meticulous and and expert in getting WPMS setup and configured to run with Domain Mapping and SSL on each site. I highly encourage anyone to engage Max for help on this!

    Patrick

  • Fantastico
    • Design Lord, Child of Thor

    Hi Max! @WP-Networks

    I hope you are having a wonderful day. So i am a noob and I have a partner who is the server guy but I was curious if you know the best way to go about automating ssl when customers map a domain they bought?

    My goal is to be like wordpress.com but my excitement was cut short when I realized the wpmudev mapping domain and prosites and whmcs plugins do not really make for an easy customer ssl experience.

    If you don’t mind, would you be able to help point us in the right direction on how to get started? For example, lets say a customer wants to go from a free plan with a subdomain that does have ssl to a paid plan by mapping their own domain (like one they bought) with the mapping plugin…how can we set it up so ssl is applied to their new domain automatically?

    Anything to help us get started in the right direction would be super awesome!

    Thanks Max!!!!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.