Question about ssl certificates

Hi!
I'm using nginx, currently hosting several WordPress sites. I'm thinking about consolidating them all into one multisite network so I don't need to pay for a bunch of Wordfence premium licenses (psst, don't tell). However, I had a question about ssl certificates from let's encrypt:

First of all, currently I have separate certificates with http://www.example.com and example.com on them, which makes sense as each of my sites is in a separate vhost. However, if I make them into one multisite network, I think I see a few problems:
1. If I use domain mapping, I can't have ssl certs that are just for my main multisite domain, as they won't be valid for that mapped domain (I'm trying not to have to reissue the cert every time I add a new domain).
2. If I redirect the domains to mysite.com/site1/xxx, then that wouldn't look very professional. Do you know of any way to have separate letsencrypt certificates for each domain, yet still have one vhost and subdirectory installs without having to redirect them to an ugly looking URL? or do I need to duplicate my multisite configuration in the main vhost an put it in each separate site's vhost as well, there by making them practically identical? As you can tell I'm a little confused.

If you need any more info just let me know! ????

-Michael.

  • Luís

    Hi Michael ,

    Hope you're doing well today!

    Firstly, I think this article may interest you:

    https://premium.wpmudev.org/blog/ssl-domain-mapping/

    Regarding to your for your questions, you want to use just the SSL in the main website or in all mapped domains too? If your host supports Let'sEncrypt it has an option for multi-domain certificates (I think) that you can use to your mapped domains:

    https://premium.wpmudev.org/blog/lets-encrypt-ssl-certificate/

    https://letsencrypt.org/docs/faq/

    I hope this information has been helpful. If I can help you in this or other questions, please let me know!

    Cheers, Luís

  • Michael

    Ok, I just bit the bullet and made my cert into a multi-domain cert. Now I'm having all sorts of problems with my multisite install, let me see if I can go through all of them:

    1. When I go to my 3rd site (https://2mb.solutions/3dm) it brings to a WPMUDev dashboard page with a URL something like 'https://2mb.solutions/wp-admin/network/admin.php?page=WPMUDev-dashboard&error_nonce=xxxxx (just paraphrasing the uRL, as I didn't copy it). The others work fine, but when I go to 2mb.solutions/site/login, it says 'page NOT FOUND.

    My nginx file is below:

    server {
    listen 80;
    listen [::]:80;
    server_name 2mb.solutions http://www.2mb.solutions michaeltaboada.me http://www.michaeltaboada.me 3dm.audio http://www.3dm.audio 2mb.info http://www.2mb.info 2mb.review http://www.2mb.review getyourphix.tk http://www.getyourphix.tk eldritchfiction.net http://www.eldritchfiction.net lolmud.net http://www.lolmud.net;
    return 301 https://$host$request_uri;
    }
    map $http_host $blogid {
    default 0;
    2mb.solutions 1;
    http://www.2mb.solutions 1;
    michaeltaboada.me 2;
    http://www.michaeltaboada.me 2;
    3dm.audio 3;
    http://www.3dm.audio 3;
    2mb.info 4;
    http://www.2mb.info 4;
    2mb.review 5;
    http://www.2mb.review 5;
    getyourphix.tk 6;
    http://www.getyourphix.tk 6;
    eldritchfiction.net 7;
    http://www.eldritchfiction.net 7;
    lolmud.net 8;
    http://www.lolmud.net 8;
    }

    server {
    access_log off;
    error_log /etc/nginx/logs/error.log;
    server_name 2mb.solutions http://www.2mb.solutions michaeltaboada.me http://www.michaeltaboada.me 3dm.audio http://www.3dm.audio 2mb.info http://www.2mb.info 2mb.review http://www.2mb.review getyourphix.tk http://www.getyourphix.tk eldritchfiction.net http://www.eldritchfiction.net lolmud.net http://www.lolmud.net;
    root /storage/websites/2mb.solutions/public_html;
    listen 443 ssl;
    listen [::]:443 ssl;
    index index.php;
    ssl_certificate /etc/letsencrypt/live/2mb.review/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/2mb.review/privkey.pem;
    ssl_client_certificate /etc/nginx/cloudflare.pem;
    ssl_verify_client on;
    # ? See: http://nginx.org/en/docs/http/ngx_http_core_module.html#etag
    # This reduces load on your server by supporting the If-Modified-Since header,
    # since by browsers for static resources.

    etag on;
    expires 7d;
    if_modified_since before;

    # ? See: http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip
    # This enables GZIP compression in Nginx, making all static
    # resources load faster in browsers.

    gzip on;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_types text/plain text/xml image/svg+xml # text/html in core already.
    application/rss+xml application/atom+xml application/xhtml+xml
    text/css application/json application/x-javascript
    application/font-otf application/font-ttf;

    # ? See: http://davidwalsh.name/cdn-fonts
    # This prevents cross-domain security issues related to fonts.
    # Only needed if you use Static CDN Filters in Comet Cache.

    location ~* \.(?:ttf|ttc|otf|eot|woff|woff2|css|js)$ {
    add_header Access-Control-Allow-Origin *;
    }

    # ? This is optional, but suggested. It's a flag to tell Comet Cache
    # that you completed this Nginx configuration.

    add_header X-SNOOPER "Do you like breaking php code? Then contact 2MB and apply to be a beta tester! Visit https://2mb.solutions and mention this header! Oh and yes, we totally stole this idea from wordpress.com. Hats off to ya guys!";

    set $no_cache 0;
    if ($request_method = POST) {
    set $no_cache 1;
    }
    if ($query_string != "") {
    set $no_cache 1;
    }
    if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)")
    {
    set $no_cache 1;
    }
    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
    set $no_cache 1;
    }
    location ~* \.(jpg|png|gif|jpeg|css|js|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx|woff)$ {
    expires 864000;
    }
    location ~ ^(/[^/]+/)?files/(.+) {
    try_files /wp-content/blogs.dir/$blogid/files/$2 /wp-includes/ms-files.php?file=$2 ;
    access_log off; log_not_found off; expires max;
    }

    #avoid php readfile()
    location ^~ /blogs.dir {
    internal;
    alias /storage/websites/2mb.solutions/public_html/wp-content/blogs.dir ;
    access_log off; log_not_found off; expires max;
    }

    if (!-e $request_filename) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    rewrite ^(/[^/]+)?(/wp-.*) $2 last;
    rewrite ^(/[^/]+)?(/.*\.php) $2 last;
    }

    location / {
    try_files $uri $uri/ /index.php?$args;
    }

    ## WP Defender - Prevent information disclosure ##
    # Turn off directory indexing
    autoindex off;

    # Deny access to wp-config.php file
    location = /wp-config.php {
    deny all;
    }

    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
    deny all;
    }
    ## WP Defender - End ##
    ## WP Defender - Prevent PHP Execution ##
    # Stop php access except to needed files in wp-includes
    location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
    internal; #internal allows ms-files.php rewrite in multisite to work
    }

    # Specifically locks down upload directories in case full wp-content rule below is skipped
    location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
    }

    #allow access to wordfence php files
    location ~ ^/wp-content/plugins/wordfence/.*\.php$ {
    include /etc/nginx/fastcgi_params;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
    return 404;
    }
    # fastcgi_pass unix:disappointed:run/php-fpm/php-fpm.sock;
    fastcgi_pass 127.0.0.1:9000;
    #fastcgi_pass unix:disappointed:var/run/hhvm/hhvm.sock;
    fastcgi_index index.php;
    # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param QUERY_STRING $query_string;
    #include fastcgi_params;
    fastcgi_intercept_errors on;
    fastcgi_ignore_client_abort off;
    fastcgi_connect_timeout 10;
    fastcgi_send_timeout 10;
    fastcgi_read_timeout 30;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 256k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_cache_bypass $no_cache;
    fastcgi_no_cache $no_cache;
    # fastcgi_cache CZONE;
    fastcgi_cache_valid 200 302 1h;
    fastcgi_cache_valid 301 1h;
    fastcgi_cache_valid any 1h;
    fastcgi_cache_min_uses 2;
    }

    # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
    # Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
    location ~* ^/wp-content/.*\.php$ {
    deny all;
    }
    ## WP Defender - End ##
    location ~ [^/]\.php(/|$) {
    include /etc/nginx/fastcgi_params;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
    return 404;
    }
    # fastcgi_pass unix:disappointed:run/php-fpm/php-fpm.sock;
    fastcgi_pass 127.0.0.1:9000;
    #fastcgi_pass unix:disappointed:var/run/hhvm/hhvm.sock;
    fastcgi_param WP_NGINX_CONFIG done;
    fastcgi_index index.php;
    # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param QUERY_STRING $query_string;
    #include fastcgi_params;
    fastcgi_intercept_errors on;
    fastcgi_ignore_client_abort off;
    fastcgi_connect_timeout 10;
    fastcgi_send_timeout 10;
    fastcgi_read_timeout 30;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 256k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_cache_bypass $no_cache;
    fastcgi_no_cache $no_cache;
    # fastcgi_cache CZONE;
    fastcgi_cache_valid 200 302 1h;
    fastcgi_cache_valid 301 1h;
    fastcgi_cache_valid any 1h;
    fastcgi_cache_min_uses 2;

    }
    # No access to .htaccess files.
    location ~ /\.ht {
    deny all;
    }
    }

    Any help? This is starting to have turned into a nightmare :slight_frown:.
    -Michael.

  • Michael

    ok, it turns out when I imported my old wp-options table it reset the siteurl and home options, makinga mess of things. I've got domains mapped, now the only problem is that whenever I go to any of the domains, it just redirects me to my main site. Nginx config is below:

    server {
    listen 80;
    listen [::]:80;
    server_name 2mb.solutions http://www.2mb.solutions michaeltaboada.me http://www.michaeltaboada.me 3dm.audio http://www.3dm.audio 2mb.info http://www.2mb.info 2mb.review http://www.2mb.review getyourphix.tk http://www.getyourphix.tk eldritchfiction.net http://www.eldritchfiction.net lolmud.net http://www.lolmud.net;
    return 301 https://$host$request_uri;
    }
    map $http_host $blogid {
    default 0;
    2mb.solutions 1;
    http://www.2mb.solutions 1;
    michaeltaboada.me 2;
    http://www.michaeltaboada.me 2;
    3dm.audio 9;
    http://www.3dm.audio 9;
    2mb.info 4;
    http://www.2mb.info 4;
    2mb.review 5;
    http://www.2mb.review 5;
    getyourphix.tk 6;
    http://www.getyourphix.tk 6;
    eldritchfiction.net 7;
    http://www.eldritchfiction.net 7;
    lolmud.net 8;
    http://www.lolmud.net 8;
    }

    server {
    access_log off;
    error_log /etc/nginx/logs/error.log;
    server_name 2mb.solutions http://www.2mb.solutions michaeltaboada.me http://www.michaeltaboada.me 3dm.audio http://www.3dm.audio 2mb.info http://www.2mb.info 2mb.review http://www.2mb.review getyourphix.tk http://www.getyourphix.tk eldritchfiction.net http://www.eldritchfiction.net lolmud.net http://www.lolmud.net;
    root /storage/websites/2mb.solutions/public_html;
    listen 443 ssl;
    listen [::]:443 ssl;
    index index.php;
    ssl_certificate /etc/letsencrypt/live/2mb.review/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/2mb.review/privkey.pem;
    ssl_client_certificate /etc/nginx/cloudflare.pem;
    ssl_verify_client on;
    # ? See: http://nginx.org/en/docs/http/ngx_http_core_module.html#etag
    # This reduces load on your server by supporting the If-Modified-Since header,
    # since by browsers for static resources.

    etag on;
    expires 7d;
    if_modified_since before;

    # ? See: http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip
    # This enables GZIP compression in Nginx, making all static
    # resources load faster in browsers.

    gzip on;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_types text/plain text/xml image/svg+xml # text/html in core already.
    application/rss+xml application/atom+xml application/xhtml+xml
    text/css application/json application/x-javascript
    application/font-otf application/font-ttf;

    # ? See: http://davidwalsh.name/cdn-fonts
    # This prevents cross-domain security issues related to fonts.
    # Only needed if you use Static CDN Filters in Comet Cache.

    location ~* \.(?:ttf|ttc|otf|eot|woff|woff2|css|js)$ {
    add_header Access-Control-Allow-Origin *;
    }

    # ? This is optional, but suggested. It's a flag to tell Comet Cache
    # that you completed this Nginx configuration.

    add_header X-SNOOPER "Do you like breaking php code? Then contact 2MB and apply to be a beta tester! Visit https://2mb.solutions and mention this header! Oh and yes, we totally stole this idea from wordpress.com. Hats off to ya guys!";

    set $no_cache 0;
    if ($request_method = POST) {
    set $no_cache 1;
    }
    if ($query_string != "") {
    set $no_cache 1;
    }
    if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)")
    {
    set $no_cache 1;
    }
    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
    set $no_cache 1;
    }

    location / {
    try_files $uri $uri/ /index.php?$args;
    }

    location ~* \.(jpg|png|gif|jpeg|css|js|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx|woff)$ {
    expires 864000;
    }
    location ~ ^(/[^/]+/)?files/(.+) {
    try_files /wp-content/blogs.dir/$blogid/files/$2 /wp-includes/ms-files.php?file=$2 ;
    access_log off; log_not_found off; expires max;
    }

    #avoid php readfile()
    location ^~ /blogs.dir {
    internal;
    alias /storage/websites/2mb.solutions/public_html/wp-content/blogs.dir ;
    access_log off; log_not_found off; expires max;
    }

    if (!-e $request_filename) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    rewrite ^(/[^/]+)?(/wp-.*) $2 last;
    rewrite ^(/[^/]+)?(/.*\.php) $2 last;
    }
    ## WP Defender - Prevent information disclosure ##
    # Turn off directory indexing
    autoindex off;

    # Deny access to wp-config.php file
    location = /wp-config.php {
    deny all;
    }

    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
    deny all;
    }
    ## WP Defender - End ##
    ## WP Defender - Prevent PHP Execution ##
    # Stop php access except to needed files in wp-includes
    location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
    internal; #internal allows ms-files.php rewrite in multisite to work
    }

    # Specifically locks down upload directories in case full wp-content rule below is skipped
    location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
    }

    #allow access to wordfence php files
    location ~ ^/wp-content/plugins/wordfence/.*\.php$ {
    include /etc/nginx/fastcgi_params;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
    return 404;
    }
    # fastcgi_pass unix:disappointed:run/php-fpm/php-fpm.sock;
    fastcgi_pass 127.0.0.1:9000;
    #fastcgi_pass unix:disappointed:var/run/hhvm/hhvm.sock;
    fastcgi_index index.php;
    # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param QUERY_STRING $query_string;
    #include fastcgi_params;
    fastcgi_intercept_errors on;
    fastcgi_ignore_client_abort off;
    fastcgi_connect_timeout 10;
    fastcgi_send_timeout 10;
    fastcgi_read_timeout 30;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 256k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_cache_bypass $no_cache;
    fastcgi_no_cache $no_cache;
    # fastcgi_cache CZONE;
    fastcgi_cache_valid 200 302 1h;
    fastcgi_cache_valid 301 1h;
    fastcgi_cache_valid any 1h;
    fastcgi_cache_min_uses 2;
    }

    # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
    # Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
    location ~* ^/wp-content/.*\.php$ {
    deny all;
    }
    ## WP Defender - End ##
    location ~ [^/]\.php(/|$) {
    include /etc/nginx/fastcgi_params;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
    return 404;
    }
    # fastcgi_pass unix:disappointed:run/php-fpm/php-fpm.sock;
    fastcgi_pass 127.0.0.1:9000;
    #fastcgi_pass unix:disappointed:var/run/hhvm/hhvm.sock;
    fastcgi_param WP_NGINX_CONFIG done;
    fastcgi_index index.php;
    # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param QUERY_STRING $query_string;
    #include fastcgi_params;
    fastcgi_intercept_errors on;
    fastcgi_ignore_client_abort off;
    fastcgi_connect_timeout 10;
    fastcgi_send_timeout 10;
    fastcgi_read_timeout 30;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 256k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_cache_bypass $no_cache;
    fastcgi_no_cache $no_cache;
    # fastcgi_cache CZONE;
    fastcgi_cache_valid 200 302 1h;
    fastcgi_cache_valid 301 1h;
    fastcgi_cache_valid any 1h;
    fastcgi_cache_min_uses 2;

    }
    # No access to .htaccess files.
    location ~ /\.ht {
    deny all;
    }
    }
    I'm so close! lol.
    -Michael.

  • Michael

    Just a little more info: Whether I visit 2mb.solutions/michaeltaboada or the mapped domain, michaeltaboada.me, it redirects to the main site, 2mb.solutions. I can, however, log into the dashboard and use it fine, only with the non-mapped domain. IF I go to anything on the mapped domain, wp-admin, homepage, etc, it redirects to the main site.
    Any clues? I'm starting to get desperate lol.
    -Michael.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.