SSL for subdomains on a Multisite

I have been trying now for over a year to figure out how to have all my subdomains on my multisite covered by a SSL certificate so that the Google warning does not come up warning of an unsecure site. I am hoping you can help me accomplish this once and for all!

My primary domain (wordsandwriters.com is covered by a Free AutoSSL with my Host (Hostgator), but I have written to them many times on how to cover the rest of the subdomains...and I have not been successful in achieving this. First, I thought I could use a wildcard SSL, but then they told me that would cover only the subdomain (site1.wordsandwriters.com) but not the domain name mapped to that subdomain through the Domain Mapping plugin. Then, I bought a MultiDomain SSL, but that is even more confusing, requiring many more steps and they said it would take two certificates to cover one website (one for the subdomain and one for its mapped domain), and they charge $25 for each install and another fee if you add additional domains mid year.

I am using the Domain Mapping plugin, and I hope that this plugin can help me in some way to simply this project. The hosting company administrators do not understand WP multisites or this mapping plugin.

It just seems that there must be any easier way. Am I making this more complicated than it needs to be. All I want to do is offer my subsite owners the option of a site covered by SSL. Below is the log of my email conversations with my Host about SSL.
------------------------------------------------------------------
Email email logs from my Hosting (Hostgator) for Multi Domain SSL
5/10/18
The Multidomain SSL can not be installed on one domain. We need at least two domains to proceed with the Multi-domain SSL installation. If you wish to have the SSL installed on only one domain 'suncoastdigitalpress.com' then, I suggest you to install Comodo Positive SSL or Comodo SSL. To know more about the SSL, please refer the link: http://support.hostgator.com/articles/ssl-certificates/how-do-i-obtain-an-ssl-certificate .

Also, the domain 'suncoastdigitalpress.com' is not pointing to any hosting package. In order to proceed with the SSL installation, the domain should be pointing towards the hosting package, please add the domain as addon to the hosting package 'DC-57595' by referring the article: https://support.hostgator.com/articles/cpanel/how-do-i-create-and-remove-an-addon-domain

Once the domain is added as addon to the hosting package 'DC-57595', please reply to us with the type of SSL. After that we will adjust payment and proceed with the SSL installation.
6/17/18
Thank you for your questions. I am not clear on your description of the mapped domains that are part of a WordPress multisite installation
as noted in the Reply #5 entry of this ticket. In a multi-domain SSL, each entry is separate. For instance, with a Multi-Domain SSL the www and non-www version of a domain are considered two separate host names, so if you wish an SSL to work for both http://www.mydomain.com and mydomain.com these would use up two host names.

If you decide to add extra domains mid-year, then we will need to reissue and reinstall your SSL certificate. The price is $25 per each domain.
Adding extra domains does not renew your certificate; the expiration date remains the same.
There is also a $25 reissue/reinstall fee if you have us reissue the SSL at a later time.

See https://www.hostgator.com/help/article/multi-domain-ssl

A Multi-domain SSL can cover domains hosted on different servers or in different cPanels of the same server. We use Apache Mod SSL software for our Linux and Windows servers. All domains in one Multi-domain SSL will use the Apache Mod SSL software.

If you plan to cover domains on non-HostGator servers, we will need to have you check if they can use that software for the SSL.
Your MDSSL order, if I understand correctly, is to cover two domains to start: suncoastdigitalpress.com and barbaradee.wordsandwriters.com

To validate your control over barbaradee.wordsandwriters.com the DCV email admin@wordsandwriters.com is useable.

To validate your control over suncoastdigitalpress.com one of these addresses need to be used:
admin@suncoastdigitalpress.com
administrator@suncoastdigitalpress.com
hostmaster@suncoastdigitalpress.com
postmaster@suncoastdigitalpress.com
webmaster@suncoastdigitalpress.com

Each entry in the MDSSL will cover that entry's domain (or subdomain) and each entry needs to have your control over it validated by Comodo, our SSL provider by them sending a Domain Control Validation (DCV) email to you. Each one will be different.
6/16/18
Hello,

Thank you for contacting HostGator. Please be aware that our SSL provider requires us to verify ownership of a domain before they will issue the certificate. Verification is completed via email. Currently, we can use any of the following email addresses for this:

suncoastdigitalpress.com
admin@suncoastdigitalpress.com
administrator@suncoastdigitalpress.com
hostmaster@suncoastdigitalpress.com
postmaster@suncoastdigitalpress.com
webmaster@suncoastdigitalpress.com

barbaradee.wordsandwriters.com
admin@wordsandwriters.com
administrator@wordsandwriters.com
hostmaster@wordsandwriters.com
postmaster@wordsandwriters.com
webmaster@wordsandwriters.com

Please let us know which email address you would like to use for validation. If you would like to use an email address that you do not see on this list, then you would need to add that email as the administrative contact in your domain whois information. Alternatively, you can create a forwarder within your control panel if one of the above emails does not exist. We are glad to assist with this if needed.

Please note: If you are pointing your domain to us via a custom A record, then you will need to manually update your DNS settings when the dedicated IP is assigned. A dedicated IP address is required for the SSL installation. Please disregard this note if you are pointing your domain to us via the name servers.
6/15/18
Yes, you need to add the subdomains along with the main domain as addon domain to the package 'DC-57595' then only we can proceed with the SSL installation. it is not possible to install multi domain SSL for one domain now and later add another domain. To do so, we need at least two domain names. So, please reply to this ticket with atleast one additional domain so that we can assist you further.
My Response
Okay, please use admin@wordsandwriters.com for validation. Does this validation work for all future domains that receive an SSL? I will do the Add On domains as instructed below. Is this correct?

1. Do the Add On domain process for: barbaradee.wordsandwriters.com and its mapped domain suncoastdigitalpress.com;
2. Do the Add On domain process for the second one: bobcarroll.wordsandwriters.com and its mapped domain buildingyourleadershiplegacy.com

Please advise so I can go ahead with the Add On Domains. In a follow up email, you mentioned I will need to manually change the DNS records if I used an A Record. I did use an A record for each of the domains. I don't know how to do this, but this comes after you install the SSL certificate, right?
Thanks, Joe.

Questions about the Auto SSL configuration for primary domain only (not subdomains):
6/14/17
Thank you for your patience. AutoSSL was failing to issue an SSL for wordsandwriters.com due to the following restrictions against .txt files set in the public_html/.htaccess file:

root@wor.wordsandwriters.com [public_html]# tail .htaccess

## WP Defender - Prevent information disclosure ##
<FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
Order allow,deny
Deny from all
</FilesMatch>
<Files robots.txt>
Allow from all
</Files>
## WP Defender - End ##
root@wor.wordsandwriters.com [public_html]#

To avoid issues, I temporarily removed the 'txt' extension from the block list above, and the installation completed without issues:

root@wor.wordsandwriters.com [public_html]# /usr/local/cpanel/bin/autossl_check --user josen
This system has AutoSSL set to use â??cPanel (powered by Comodo)â?.
Checking websites for â??josenâ? â?¦
The website â??*.wordsandwriters.comâ?, owned by â??josenâ?, has no SSL certificate. AutoSSL cannot provide wildcard SSL certificates, and â??*.wordsandwriters.comâ? has no non-wildcard domain names, so AutoSSL will skip this website.
The website â??wordsandwriters.comâ?, owned by â??josenâ?, has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it.
The system will attempt to renew SSL certificates for the following websites:
wordsandwriters.com (wordsandwriters.com http://www.wordsandwriters.com mail.wordsandwriters.comwebmail.wordsandwriters.com cpanel.wordsandwriters.com autodiscover.wordsandwriters.comwebdisk.wordsandwriters.com)
The system has completed the AutoSSL check for â??josenâ?.
root@wor.wordsandwriters.com [public_html]#

Moving forward, I suggest removing the 'txt' extension block from the "WP Defender" plugin settings, to avoid issues with future SSL renewals. If anything remains unclear, or if you have any other requests, feel free to let us know and we will gladly further assist.
7/31//17
Thank you for your patience. The SSL is properly installed, however the padlock is not appearing at https://wordsandwriters.com/pro-author-sites/?action=new_blog due to referencing content over http://. Reviewing the Chrome Developer Tools console, I'm showing the following:

Mixed Content: The page at 'https://wordsandwriters.com/pro-author-sites/?action=new_blog' was loaded over HTTPS, but requested an insecure font 'http://wordsandwriters.com/wp-includes/fonts/dashicons.ttf'. This request has been blocked; the content must be served over HTTPS.

In order for the padlock to be green, all page assets must be loaded via https. To correct this issue, I suggest reviewing the steps outlined at http://www.wpbeginner.com/wp-tutorials/how-to-add-free-ssl-in-wordpress-with-lets-encrypt/ for existing websites.
4/2/18
Thank you for the update! I've checked over the status of your service certificate and found that a self-signed certificate was installed. The AutoSSL function on the server was not working because of the wildcard hosting configuration preventing requests to the server hostname from being passed to cPanel (they were being taken by the WordPress installation).

I've altered the server configuration so that its hostname wor.wordsandwriters.com resolves to its primary IP 198.57.195.60 and verified that the AutoSSL tool was able to issue a certificate for the hostname and install it for your services:
https://wor.wordsandwriters.com:2087 (as well as FTP, IMAP, POP3 and SMTP).

The AutoSSL system will not work for your site's subdomains because they have not been configured as individual subdomains. Specifically, it does not support wildcard subdomains; the underlying providers (cPanel-COMODO and LetsEncrypt) also do not support this feature. At this time you would need to purchase a wildcard SSL certificate and have it installed to apply to all of the sites on subdomains of wordsandwriters.com. To allow AutoSSL to protect individual subdomains, add them to the account manually with the same document root as the original wildcard subdomain. We do sell wildcard certificates and there's more information about this here:
https://www.hostgator.com/help/article/wildcard-ssl
We can open a ticket to our billing team on your behalf regarding this if you like.
4/25/18
It looks to me that a Wildcard SSL will only work in the case that domains are accessed in the form of , to use your example,:

https://newdomain.wordsandwriters.com

This is because while that SSL will cover any subdomain of wordsandwriters.com, no other domains are included. The best documentation I was able to find on this comes from a popular WP Multi Site development site:

https://premium.wpmudev.org/blog/ssl-domain-mapping/

You may want to get with someone more well versed in how Wordpress Multisite handles things before proceeding.

  • Adam Czajczyk

    Hello joejacobson

    I hope you're doing well today and thank you for your question!

    There are only two ways to sort that out. The first thing is to make sure that you got the main domain and sub-domain of that original main domain covered by SSL. In case of sub-domain based WP Multisite that can only be achieved by wild-card certificate. I understand that you already have that set up.

    However, such a certificate will not help with mapped domains. It's "a must" because you need to have the original domain and its sub-domains protected but then another step is necessary.

    That "another step" is either a multi-domain certificate (which, unfortunately, can be expensive and not quite easy to use) or an SNI support on a server. The "SNI" stands for "Server Name Indication" (see here: https://en.wikipedia.org/wiki/Server_Name_Indication) and it's a solution that lets you use multiple single-domain certificates on the same account. That means that if your host supports SNI you would be able to:

    1. use a single wild-card certificate for you main domain and its all subdomains
    2. add new certificate (separate for each one) for each mapped domain that you add (map) to any of the sub-sites.

    I'm not exactly sure how the auto-ssl feature works at your host but the SSL certification itself is a "server-side" thing, not a WP issue. Only these two ways (multi-domain or SNI) would solve the case.

    There is, however, a "workaround" that could work as well: you could use CloudFlare and they do issue free SSL certs so even with their free plan you could just put your mapped domains through them and configure CF to protect these domains with SSL.

    As for mixed content issues. That's a bit different thing. Assuming that you do have proper certs setup, the first thing to check is to make sure that the given site is actually

    - protected by SSL for an original sub-domain
    - set to use HTTPS connection (go to "Network Admin -> Sites" page and use "Edit" link there for the site to check if its "Siteurl" and "Home" options in "Settings" section start with https:// prefix)
    - do not contain any "hard coded" insecure resources (sometimes there's e.g. some CSS rule that calls out some image or font explicitly over HTTP - that will cause mixed content issues).

    If you got any follow up questions, please ask and I'll be glad to assist you further.

    Kind regards,
    Adam

  • joejacobson

    Hi Adam,

    Thanks for the great instructions. I also looked over splaquet's thread, but I think I am going to try the Cloudflare for the mapped domains. I think I can achieve that with my skill level. The other option with SNI, etc, is too advanced for me.

    So if I go with Cloudflare, I don't really need the Domain Mapping plugin, right? I remember when I used it, I had to add the A record at the domain registrant. So, when I use Cloudflare, I see that they want me to add their nameservers at the registrant, but do I leave my server's A record in place or do I remove it? I don't quite understand what role Cloudflare plays and how it interacts with my server where my WP installation is in place.

    Thanks for your help, Joe.

  • Adam Czajczyk

    Hello joejacobson

    So if I go with Cloudflare, I don't really need the Domain Mapping plugin, right?

    The CloudFlare itself will not replace Domain Mapping. The simplest way to do this would be to actually set up the domain like there was no CloudFlare at all - so add it to your server like you normally do. map it and make sure that it's working (even if it gives you some mixed content/insecure errors).

    Then follow regular CloudFlare "wizard" to set nameservers and let them propagate so the domain would go "through" CF and then you can enable SSL on CF and that should be working out of the box as CloudFlare should be "transparent" - so on WP site's side it shouldn't make a difference.

    It's sort of like going from point A to point B by car, when you only have one road but at some point of that road you can either stay on original route and go around the mountain (that's no CF) or choose a tunnel and go "through" the mountain (that "tunnel" would be CF) - but that's still one road and both point A and point B are still exactly the same :slight_smile:

    Best regards,
    Adam

  • joejacobson

    Adam,

    Okay, I think I got it. Let me know if this is correct:

    1. Get a wildcard SSL set up with my server to protect the main domain and its subdomains.
    2. When a new site is created, and the user gets their own domain registered, use the Mapping Domain in the normal way setting up the A record at their registrar.
    3. Check the https: connection settings in the Network admin area.
    4. Then add the domain to CF. When I tried it, it automatically activated the SSL.

    Does that look good?

    I just checked one subdomain (kspaulsen.com) after adding the https in the Edit area, but it still loaded the non-secure version of the site. Of course, I have not yet added the wildcard SSL, but I did add it to CF and I believe the CF SSL is active. Will the CF SSL not work until I get the wildcard SSL set up?

    Thanks, Joe.

  • Adam Czajczyk

    Hi joejacobson

    Okay, I think I got it. Let me know if this is correct:

    1. Get a wildcard SSL set up with my server to protect the main domain and its subdomains.
    2. When a new site is created, and the user gets their own domain registered, use the Mapping Domain in the normal way setting up the A record at their registrar.
    3. Check the https: connection settings in the Network admin area.
    4. Then add the domain to CF. When I tried it, it automatically activated the SSL.

    Does that look good?

    That sounds right to me :slight_smile:

    I just checked one subdomain (kspaulsen.com) after adding the https in the Edit area, but it still loaded the non-secure version of the site. Of course, I have not yet added the wildcard SSL, but I did add it to CF and I believe the CF SSL is active. Will the CF SSL not work until I get the wildcard SSL set up?

    In theory, wild-card shouldn't be necessary but in practice I've never seen it properly working without it. It's mostly the case of how the theme, plugins and sometimes even content is built/"structurized". If all the resource URLs - and I literally mean all of them - would be "protocol-relative" (meaning having no http:// and https:// prefixes) then, with some "tweaks" to WP config it should be working. But in my opinion it's honestly not worth the effort and I never seen it working properly without some heavy "customization/troubleshooting".

    So, a wild-card for the main domain solves the mixed content and similar issues in most cases (unless there are some changes required e.g. to URLs of assets in CSS or something similar but that's sometimes unavoidable).

    As for the domain that you already mapped. I tried to check it and I see it goes through Cloudflare already but I also see that it's currently redirecting from https to http. Therefore I'm not sure if you have just set it that way to avoid issues or there's some need to make changes in configuration. I think the best course of action would be to actually add the wild-card first and then if that still doesn't work as expected, we could troubleshoot that to find out why.

    Best regards,
    Adam

  • Adam Czajczyk

    Hi joejacobson

    Thanks for granting access!

    I checked the site and it's now running over SSL as expected, redirecting non-SSL to SSL as well.

    This was only a matter of mapped domain configuration in Domain Mapping. You have properly configured original sub-domain as it was set already to use https:// protocol. However, after mapping the domain to the site you would want to pay attention to the mapped domain prefix on "Tools -> Domain Mapping" page in the dashboard of the sub-site.

    So, I went to that page in the dashboard of the kspaulsen.com sub-site and noticed that the prefix for that mapped domain was "http://". There's a "key" icon on the left of the domain name and it's a "Toggle forced schema" switch. You can use it to switch between: forced HTTP, forced HTTPS and no schema. I switched it to "https://" and the site's running over SSL now.

    It seems that there's no mixed content errors as well so I think it should be fine now. Just note, please, to pay attention to that setting for other mapped domain in case you want to force SSL connection on them :slight_smile:

    Best regards,
    Adam

  • joejacobson

    Adam,

    Thanks for the help. Looks pretty good now, but I have a couple more questions:

    1. On these subsites now covered by SSL, I noticed that most of the pages (except the home page) do not have the green secure icon, but instead an information icon (see attached). Can I do anything to fix this?
    2. My primary domain (wordsandwriters.com) does not have the secure icon. Shouldn't it be fine without adding it to Cloudflare, or do I need to add it also?

    Thanks.

  • Adam Czajczyk

    Hi @joejacobson!

    1. On these subsites now covered by SSL, I noticed that most of the pages (except the home page) do not have the green secure icon, but instead an information icon (see attached). Can I do anything to fix this?

    I admit I didn't check pages other than homepage previously, I apologize. I checked them now and there are two issues there:

    1. I actually should tell you that earlier but I missed that - there's currently a bug in Domain Mapping that might be "causing Domain Mapping to cause mixed content errors". Mixed Content is when a "https enabled" site tries to load some resource (e.g. CSS file, an image etc) over "http" connection.

    In some cases Domain Mapping can "cause it to itself" due to that bug. Our developers are working on a solution and meanwhile a workaround would be to disable "Cross-domain auto-login" option in "Network Admin -> Settings -> Domain Mapping" settings. That's got a downside because whenever you try to go to a back-end of a sub-site that's got a domain mapped to it, you'll be asked to login again, instead of being automatically logged in, but should fix one of the mixed content errors that are breaking the "security seal".

    2. Apart from the issue described above there are actually "hard-coded" resources over non-SSL connection. On "kspaulsen.com/about-the-author/" there are these two images used that are breaking security padlock:

    kspaulsen.com/files/2016/04/Kris-Big-Sur-1-cropped-e1474827394633.jpg
    http://kspaulsen.com/files/2016/09/Storm-Shadow-Front-Cover-FINAL524.jpg

    Basically, you would need to find where are they called from (I think one's in top-left part of the text on page and the other one is in sidebar) and edit these places (post, widget) to update URLs of these images to start with "https".

    These changes together would make the padlock green again (full SSL security). Note please, while the #1 issue (Domain Mapping) you would need to set only once as it's "sitewide setting), the other "mixed content" issues must be tracked down "per site" or even "per page" as other pages might not load any resources via "http" (and these should be fine) and some others might be loading different resources over "http".

    You can check it when you load a page and see that the security padlock is not green: if you are using Chrome browser, open its menu, go to "More Options" and enable "Developer Tools". It will show a tabbed box at the bottom of the screen so switch to "console" and reload the page. You will then see "Mixed Content" errors marked with yellow sign. The resources that are causing the issue (breaking SSL security) will be listed there, like this:

    The first one (marked with red) is the one coming from Domain Mapping (see #1 above). Two other are the images that I mentioned above that just need to be edited on site.

    2. My primary domain (wordsandwriters.com) does not have the secure icon. Shouldn't it be fine without adding it to Cloudflare, or do I need to add it also?

    I checked it and it does already have a valid SSL certificate for it installed (which is expected as you got a wild-card SSL for the main domain), though there are also a "mixed content" errors. Those should be addressed the same way as for any of the other sites, like explained above.

    As for editing its URL. Yes, you are right, it will not let you edit via "Network Admin -> Sites -> [Edit]". The main site is an exception and that should be handled in a different way. You'd basically want to "hack" a database a little bit:

    - access your site's database via phpMyAdmin (usually from cPanel)
    - find the "wp_options" table (note: I used default "wp_" prefix for this instruction but on your site prefix might be different - make sure that you found the _options table with prefix maching the one that's set in your "wp-config.php" file)
    - find two options there: siteurl and home
    - edit them both, replacing "http://" with "https://"

    That should do the trick :wink:

    Please make sure that you took a full backup before making that change. It's a simple change but dealing with a "raw database" is always risky so it's better to have backup at hand, just in case.

    Best regards,
    Adam

  • joejacobson

    Hi Adam,

    Thanks for the detail instructions. For the subsites, I added SSL with Cloudflare and then just for fun I installed Really Simple SSL and activated on each subsite. That seemed to take care of all issues. All my pages are now protected by SSL. Is that okay to do? Kind of the lazy person's approach.

    However, that didn't work for my primary domain. Of course that one is using the wildcard SSL provided by my host. Footnote: found out my host installed Let's Encrypt on the server, so now all my other domains not related to Wordsandwriters.com can have their own SSL. Seems like more hosts and domain registrants are starting to provide this free of charge. However, I suppose this won't help me with my multi-site installation, right? It would be nice if somehow it could help where I wouldn't need Cloudflare. What do you think? One other question: do you think it would work to add my primary domain on Cloudflare to have them protect it with SSL or would this interfere with my wildcard SSL?

    Anyway, I went to my phpMyAdmin and found the correct database (I believe), but the domain listed was a default template subsite. See attached image. Does this look right, or perhaps I have the wrong database. I looked in my config.php file and did not see any prefix.

    I didn't do the change on my cross-domain settings because I don't want to confuse my subsite users.

    Thanks for your help.

  • Adam Czajczyk

    Hello @joejacobson!

    For the subsites, I added SSL with Cloudflare and then just for fun I installed Really Simple SSL and activated on each subsite. That seemed to take care of all issues. All my pages are now protected by SSL. Is that okay to do? Kind of the lazy person's approach.

    Yeah, that's fine :slight_smile: If it works well for you, that's okay to use it :slight_smile:

    However, that didn't work for my primary domain. Of course that one is using the wildcard SSL provided by my host. Footnote: found out my host installed Let's Encrypt on the server, so now all my other domains not related to Wordsandwriters.com can have their own SSL. Seems like more hosts and domain registrants are starting to provide this free of charge. However, I suppose this won't help me with my multi-site installation, right? It would be nice if somehow it could help where I wouldn't need Cloudflare.

    Let's Encrypt is cool, indeed. You could use it for mapped domains, I believe, though I'm not sure about the main domain. I mean: you need that wildcard thing. Let's Encrypt didn't support it in the past but I heard that now it's possible to use it for the domain and its subdomains. But I honestly admit that I didn't have a chance to research that much and test yet (actually my own host added Let's Encrypt support only about a week ago, so before that I never used it personally at all and I only just added it to one single site for testing). I think, though, that it might be a working solution but you might want to read more on Let's Encrypt pages, I believe they got some documentation/FAQs on that :slight_smile:

    One other question: do you think it would work to add my primary domain on Cloudflare to have them protect it with SSL or would this interfere with my wildcard SSL?

    CloudFlare is "in front" of your site, so to say. That shouldn't interfere. Though I'm not sure how it will behave in case when CF (with SSL enabled) actually gets a "mixed content" from already SSL-protected site. I never tried to use it like that - I only used CF to add SSL to a regular non-SSL sites and that worked fine.

    Anyway, I went to my phpMyAdmin and found the correct database (I believe), but the domain listed was a default template subsite. See attached image. Does this look right, or perhaps I have the wrong database. I looked in my config.php file and did not see any prefix.

    Hm.... that doesn't exactly look like the right thing to be there. I'm not sure if it's a right database or table because the main site is at "domain.com" and not "defaulttemplate.domain.com", right? If so, that doesn't seem to be a proper thing.

    But it's sort of difficult to help more without actually seeing it. I could take a look there but I'd need to get access to the database. You could enable support access to the site by going to the "WPMU DEV -> Support" page and clicking on "Grant support access" and then a text box will appear under the "Access active for X days" green button. In that box you could put access credentials - preferably to entire cPanel (or similar panel that you are using to manage your server) - that would let me access the database and I would check that for you.

    Just let me know if you want me to :slight_smile:

    I didn't do the change on my cross-domain settings because I don't want to confuse my subsite users.

    That's understandable of course but I'm afraid in that case some of these mixed content errors will only be resolved once a Domain Mapping update containing a fix is released, though I don't have an ETA on this, I'm afraid.

    Kind regards,
    Adam

  • Adam Czajczyk

    Hello @joejacobson!

    Thanks for sharing credentials :slight_smile:

    I have accessed the database and made the change so the main site has now both "Site Address (URL)" and "WordPress Address (URL)" (which, in db, is named "home") set to start with https:// prefix.

    I also found why you couldn't do that and it's actually my fault, for which I apologize. Let me explain:

    In WordPress Multisite the database has slightly different structure than in regular single WP install. Your database prefix in "wp_config.php" is set to "wp_" and that means that the _options table on single install would be "wp_options".

    On Multisite, however, you will find not just one "_options" table but as many of them as you got sub-sites on your site. You will see for example "wp_10_options", "wp_129_options", "wp_131_options" and... "wp_options".

    That is because there's such table for the main site and for each sub-site. The main sub-site is the "wp_options" one and those with "numbers" in name are for sub-sites. When you look through the phpMyAdmin tables are sorted "alphabetically" but such sorting is a bit "broken" if there are number. So I believe that you looked through tables to find "_options" table and the first one that you can find this way is "wp_131_options" which is... the "defaulttemplate.yourdomain.com" site :slight_smile:

    So, I should have been a bit more specific and mention that there are multiple tables like this and explain how to find the right one - which is just "wp_options", without any number in its name.

    Anyhow, it's set now so the main site is configured for SSL as well. It's not forcing SSL but it's using it if accessed via https:// prefixed link and not redirecting to no-SSL version.

    Best regards,
    Adam

  • joejacobson

    Hi Adam,

    Back again. I'm still working on the implementation of all your suggestions. One thing I'm not clear on is how do I actually change an image, for example, from http to https. In the image editor, the Media library??

    Another strange has happened also regarding my three test sites that I mapped by the plugin and that are now on Cloudflare for the SSL. In the beginning, they worked fine, but last week, I had a DDoS attack that shut down all my sites. I contacted my host and they found the culprit out of Brazil and they blocked that IP. Then my sites came back, except for the three subsites below:
    http://kspaulsen.com/
    http://buildingyourleadershiplegacy.com/
    http://suncoastdigitalpress.com/

    After the fix was complete following the DDoS, it dawned on me that the only three sites with the "Forbidden" error are the ones on Cloudflare.

    Have any ideas why this may be happening now?

    I have granted access and the WHM login is still in the box below the Grant Access.

    Thanks, Joe.

  • Adam Czajczyk

    Hello @joejacobson!

    One thing I'm not clear on is how do I actually change an image, for example, from http to https. In the image editor, the Media library??

    No, you don't have to change anything like that. If the site/sub-site is set to use SSL (https:// prefix) already, all its resources would be automatically updates.

    However, I assume that you're asking about it because of some "mixed content" issues. The thing is: while the site is set to use SSL, there still might be some images in posts/pages/theme loaded over http connection because their URLs are "hard coded".

    For example:

    - you got a "test.domain.com" sub-site and it's already set to SSL so the URL is "https://test.domain.com"
    - there's an "about" page at "https://test.domain.com/about"
    - that page is "insecure" because of "mixed content" issue because a "team.jpg" image in the page content is loaded over http://

    This means that the image was added to the page content while the site was still via http and the URL starting with "http://" was saved. What you would need to do would be to actually edit that "about" page and edit the image in that post - replace it with the very same image from media library and update; this way the image URL would be updated.

    That applies to posts/pages and any "editable content". There might also be some images like that that are part of the theme in in such case theme files would have to be edited to replace http:// prefix with https:// prefix in images' URLs.

    (...) After the fix was complete following the DDoS, it dawned on me that the only three sites with the "Forbidden" error are the ones on Cloudflare.

    I have just visited all these three sites and they all loaded fine for me, with no errors and other issues. Did you manage to solve that meanwhile or are you still seeing them as "forbidden"?

    Best regards,
    Adam

  • joejacobson

    Hi Adam,
    Thanks, now I get it with replacing images. On my main site, it turned out that only one image was mixed content--the background. The whole site is now showing the green secure lock.

    Regarding the forbidden sites, they do not come up for me. Maybe my IP is being blocked (73.70.137.110). I checked with one of the site users (kspaulsen.com), and she also got the forbidden error, so it must be more than just my IP. This user is in a nearby town. So could it be something else is blocking the sites by region of the world? By the way, I also cannot get into the backend of these three sites.

    Thanks,

  • Predrag Dubajic

    Hi joejacobson,

    It seems like there's indeed some country related blocking active there, I'm from Serbia and I'm getting "Forbidden" message on all three domains.
    Adam is from Poland and since it worked for him I activated VPN and did some testing by visiting your domains from different locations, and sure enough, I was able to do so from certain countries.

    So I checked with https://www.uptrends.com/tools/uptime tool as well and there are again different results coming from a different location.

    I would suggest getting in touch with your hosting provider and check if they have any country filtering active that could be causing this.

    Best regards,
    Predrag

  • wooster

    Sorry for reviving this, but I have a similar situation, though more complicated. I have a WordPress multisite setup as subdomains of a subdomain, i. e., blog.site.domain.tld. The main site is at site.domain.tld and my sysadmin has installed a wildcard SSL for *.site.domain.tld. All of the sites in the network are secure but the main site at site.domain.tld is not and gives a warning with this setup. This is problematic as users login on the main site to access their other sites and having a big old security warning is not cool. How can one go about securing the main site and the network sites? I have the same setup on my personal DreamHost VPS that I use for testing with the addition of Domain Mapping in the mix. I'm just now trying to play around with securing the DreamHost setup as a way to test the work related setup. Thanks.

    • Adam Czajczyk

      Hello wooster

      I hope you're well today!

      From what you described, I think this might be a different issue here and it may actually be related to some "mixed content errors" or CORS problems. Could you please start a separate ticket of your own regarding this?

      Please describe the issue there and also make sure that you have enabled support access to the site (you can do it on "Network Admin -> WPMU DEV -> Support" page in your site's back-end) so we could access the site and check it.

      We'll then assist you there.

      Kind regards,
      Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.