SSL for subdomains on a Multisite

I have been trying now for over a year to figure out how to have all my subdomains on my multisite covered by a SSL certificate so that the Google warning does not come up warning of an unsecure site. I am hoping you can help me accomplish this once and for all!

My primary domain (wordsandwriters.com is covered by a Free AutoSSL with my Host (Hostgator), but I have written to them many times on how to cover the rest of the subdomains…and I have not been successful in achieving this. First, I thought I could use a wildcard SSL, but then they told me that would cover only the subdomain (site1.wordsandwriters.com) but not the domain name mapped to that subdomain through the Domain Mapping plugin. Then, I bought a MultiDomain SSL, but that is even more confusing, requiring many more steps and they said it would take two certificates to cover one website (one for the subdomain and one for its mapped domain), and they charge $25 for each install and another fee if you add additional domains mid year.

I am using the Domain Mapping plugin, and I hope that this plugin can help me in some way to simply this project. The hosting company administrators do not understand WP multisites or this mapping plugin.

It just seems that there must be any easier way. Am I making this more complicated than it needs to be. All I want to do is offer my subsite owners the option of a site covered by SSL. Below is the log of my email conversations with my Host about SSL.


Email email logs from my Hosting (Hostgator) for Multi Domain SSL

5/10/18

The Multidomain SSL can not be installed on one domain. We need at least two domains to proceed with the Multi-domain SSL installation. If you wish to have the SSL installed on only one domain 'suncoastdigitalpress.com' then, I suggest you to install Comodo Positive SSL or Comodo SSL. To know more about the SSL, please refer the link: http://support.hostgator.com/articles/ssl-certificates/how-do-i-obtain-an-ssl-certificate .

Also, the domain 'suncoastdigitalpress.com' is not pointing to any hosting package. In order to proceed with the SSL installation, the domain should be pointing towards the hosting package, please add the domain as addon to the hosting package 'DC-57595' by referring the article: https://support.hostgator.com/articles/cpanel/how-do-i-create-and-remove-an-addon-domain

Once the domain is added as addon to the hosting package 'DC-57595', please reply to us with the type of SSL. After that we will adjust payment and proceed with the SSL installation.

6/17/18

Thank you for your questions. I am not clear on your description of the mapped domains that are part of a WordPress multisite installation

as noted in the Reply #5 entry of this ticket. In a multi-domain SSL, each entry is separate. For instance, with a Multi-Domain SSL the www and non-www version of a domain are considered two separate host names, so if you wish an SSL to work for both http://www.mydomain.com and mydomain.com these would use up two host names.

If you decide to add extra domains mid-year, then we will need to reissue and reinstall your SSL certificate. The price is $25 per each domain.

Adding extra domains does not renew your certificate; the expiration date remains the same.

There is also a $25 reissue/reinstall fee if you have us reissue the SSL at a later time.

See https://www.hostgator.com/help/article/multi-domain-ssl

A Multi-domain SSL can cover domains hosted on different servers or in different cPanels of the same server. We use Apache Mod SSL software for our Linux and Windows servers. All domains in one Multi-domain SSL will use the Apache Mod SSL software.

If you plan to cover domains on non-HostGator servers, we will need to have you check if they can use that software for the SSL.

Your MDSSL order, if I understand correctly, is to cover two domains to start: suncoastdigitalpress.com and barbaradee.wordsandwriters.com

To validate your control over barbaradee.wordsandwriters.com the DCV email admin@wordsandwriters.com is useable.

To validate your control over suncoastdigitalpress.com one of these addresses need to be used:

admin@suncoastdigitalpress.com

administrator@suncoastdigitalpress.com

hostmaster@suncoastdigitalpress.com

postmaster@suncoastdigitalpress.com

webmaster@suncoastdigitalpress.com

Each entry in the MDSSL will cover that entry's domain (or subdomain) and each entry needs to have your control over it validated by Comodo, our SSL provider by them sending a Domain Control Validation (DCV) email to you. Each one will be different.

6/16/18

Hello,

Thank you for contacting HostGator. Please be aware that our SSL provider requires us to verify ownership of a domain before they will issue the certificate. Verification is completed via email. Currently, we can use any of the following email addresses for this:

suncoastdigitalpress.com

admin@suncoastdigitalpress.com

administrator@suncoastdigitalpress.com

hostmaster@suncoastdigitalpress.com

postmaster@suncoastdigitalpress.com

webmaster@suncoastdigitalpress.com

barbaradee.wordsandwriters.com

admin@wordsandwriters.com

administrator@wordsandwriters.com

hostmaster@wordsandwriters.com

postmaster@wordsandwriters.com

webmaster@wordsandwriters.com

Please let us know which email address you would like to use for validation. If you would like to use an email address that you do not see on this list, then you would need to add that email as the administrative contact in your domain whois information. Alternatively, you can create a forwarder within your control panel if one of the above emails does not exist. We are glad to assist with this if needed.

Please note: If you are pointing your domain to us via a custom A record, then you will need to manually update your DNS settings when the dedicated IP is assigned. A dedicated IP address is required for the SSL installation. Please disregard this note if you are pointing your domain to us via the name servers.

6/15/18

Yes, you need to add the subdomains along with the main domain as addon domain to the package 'DC-57595' then only we can proceed with the SSL installation. it is not possible to install multi domain SSL for one domain now and later add another domain. To do so, we need at least two domain names. So, please reply to this ticket with atleast one additional domain so that we can assist you further.

My Response

Okay, please use admin@wordsandwriters.com for validation. Does this validation work for all future domains that receive an SSL? I will do the Add On domains as instructed below. Is this correct?

1. Do the Add On domain process for: barbaradee.wordsandwriters.com and its mapped domain suncoastdigitalpress.com;

2. Do the Add On domain process for the second one: bobcarroll.wordsandwriters.com and its mapped domain buildingyourleadershiplegacy.com

Please advise so I can go ahead with the Add On Domains. In a follow up email, you mentioned I will need to manually change the DNS records if I used an A Record. I did use an A record for each of the domains. I don't know how to do this, but this comes after you install the SSL certificate, right?

Thanks, Joe.

Questions about the Auto SSL configuration for primary domain only (not subdomains):

6/14/17

Thank you for your patience. AutoSSL was failing to issue an SSL for wordsandwriters.com due to the following restrictions against .txt files set in the public_html/.htaccess file:

root@wor.wordsandwriters.com [public_html]# tail .htaccess

## WP Defender – Prevent information disclosure ##

<FilesMatch ".(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">

Order allow,deny

Deny from all

</FilesMatch>

<Files robots.txt>

Allow from all

</Files>

## WP Defender – End ##

root@wor.wordsandwriters.com [public_html]#

To avoid issues, I temporarily removed the 'txt' extension from the block list above, and the installation completed without issues:

root@wor.wordsandwriters.com [public_html]# /usr/local/cpanel/bin/autossl_check –user josen

This system has AutoSSL set to use â??cPanel (powered by Comodo)â?.

Checking websites for â??josenâ? â?¦

The website â??*.wordsandwriters.comâ?, owned by â??josenâ?, has no SSL certificate. AutoSSL cannot provide wildcard SSL certificates, and â??*.wordsandwriters.comâ? has no non-wildcard domain names, so AutoSSL will skip this website.

The website â??wordsandwriters.comâ?, owned by â??josenâ?, has no SSL certificate. AutoSSL will attempt to obtain a new certificate and install it.

The system will attempt to renew SSL certificates for the following websites:

wordsandwriters.com (wordsandwriters.com http://www.wordsandwriters.com mail.wordsandwriters.comwebmail.wordsandwriters.com cpanel.wordsandwriters.com autodiscover.wordsandwriters.comwebdisk.wordsandwriters.com)

The system has completed the AutoSSL check for â??josenâ?.

root@wor.wordsandwriters.com [public_html]#

Moving forward, I suggest removing the 'txt' extension block from the "WP Defender" plugin settings, to avoid issues with future SSL renewals. If anything remains unclear, or if you have any other requests, feel free to let us know and we will gladly further assist.

7/31//17

Thank you for your patience. The SSL is properly installed, however the padlock is not appearing at https://wordsandwriters.com/pro-author-sites/?action=new_blog due to referencing content over http://. Reviewing the Chrome Developer Tools console, I'm showing the following:

Mixed Content: The page at 'https://wordsandwriters.com/pro-author-sites/?action=new_blog&#039; was loaded over HTTPS, but requested an insecure font 'http://wordsandwriters.com/wp-includes/fonts/dashicons.ttf&#039;. This request has been blocked; the content must be served over HTTPS.

In order for the padlock to be green, all page assets must be loaded via https. To correct this issue, I suggest reviewing the steps outlined at http://www.wpbeginner.com/wp-tutorials/how-to-add-free-ssl-in-wordpress-with-lets-encrypt/ for existing websites.

4/2/18

Thank you for the update! I've checked over the status of your service certificate and found that a self-signed certificate was installed. The AutoSSL function on the server was not working because of the wildcard hosting configuration preventing requests to the server hostname from being passed to cPanel (they were being taken by the WordPress installation).

I've altered the server configuration so that its hostname wor.wordsandwriters.com resolves to its primary IP 198.57.195.60 and verified that the AutoSSL tool was able to issue a certificate for the hostname and install it for your services:

https://wor.wordsandwriters.com:2087 (as well as FTP, IMAP, POP3 and SMTP).

The AutoSSL system will not work for your site's subdomains because they have not been configured as individual subdomains. Specifically, it does not support wildcard subdomains; the underlying providers (cPanel-COMODO and LetsEncrypt) also do not support this feature. At this time you would need to purchase a wildcard SSL certificate and have it installed to apply to all of the sites on subdomains of wordsandwriters.com. To allow AutoSSL to protect individual subdomains, add them to the account manually with the same document root as the original wildcard subdomain. We do sell wildcard certificates and there's more information about this here:

https://www.hostgator.com/help/article/wildcard-ssl

We can open a ticket to our billing team on your behalf regarding this if you like.

4/25/18

It looks to me that a Wildcard SSL will only work in the case that domains are accessed in the form of , to use your example,:

https://newdomain.wordsandwriters.com

This is because while that SSL will cover any subdomain of wordsandwriters.com, no other domains are included. The best documentation I was able to find on this comes from a popular WP Multi Site development site:

https://premium.wpmudev.org/blog/ssl-domain-mapping/

You may want to get with someone more well versed in how WordPress Multisite handles things before proceeding.