Wildcard SSL setup for a WP multisite with subdomains and custom domains

matic.mj · September 10, 2019, 1:13am

Keywords: WordPress Multisite - AWS - How to - Secure Connections (SSL/HTTPS)
Description:
Hi all!

We have an AWS Lightsail WP multisite setup with several sites (currently testing with 3 sites, but planning to scale this to hundreds or thousands). Some of the sites are on subdomains of our main site’s domain and some of the sites are using custom domains.

We need all the sites to be on HTTPS and ideally we need a quick & seamless way to add additional certificates whenever we add a new custom domain.

We tried bncert-tool, but we’re faced with several issues:

Most importantly, it doesn’t work for subdomains of our main domain. Is there a way to use it to set up a wildcard SSL?
Every time when running the tool we need to list all the domains. Is there no better way, e.g. to just append the new domains?
This causes 10-20 seconds of downtime (which might increase as we add more domains?). Is there no way to avoid it or at least minimize it?

Thanks in advance!

michiel · September 10, 2019, 7:46am

Hi @matic.mj,

Wildcard certificates, and appending new domains are currently not supported but it does support issuing all domains at once.

Unfortunately not, though the bncert tool minimizes the downtime, but it does require Apache to be stopped for the domain verification. For large quantities of domains the downtime will increase as all domains need to be verified.

Please, click on if you think my answer was helpful

matic.mj · September 10, 2019, 9:06pm

Thanks a lot for your answer @michiel! Can you recommend what would be a better solution for us then? I’m not very familiar with SSL, so I’m lacking some knowledge about what’s possible.

Is it better for us to follow a more manual process, such as the one described in this AWS doc? We’ve done this in the past and it supports wildcard domains. It would also let us add just one domain at a time when we need to. But manually renewing the certificates will be a pain.

Or is it better to get some paid certificate maybe, if that helps at all?

Thanks in advance.

jota · September 11, 2019, 8:46am

Hi @matic.mj,

As @michiel mentioned, wildcards are not supported in our tool but you can follow our alternative approach to configure the SSL certificates in your instance.

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

However, to use wildcards, you will need to use the DNS validation when running the lego tool as the official Let’s Encrypt documentation explains

https://letsencrypt.org/es/docs/challenge-types/

Please note that the Lightsail documentation is not maintained by us and don’t know if you will find any problem when following it.

Let us know if you have any questions

matic.mj · September 12, 2019, 12:01am

Thanks all for help. In the end we decide to follow the above mentioned AWS guidelines, since those were more specific for our use case. Seems to work well for now.

thabisobux · October 16, 2019, 7:36am

Good day,

I just went through this article :https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach and it looks like it’s unix commands.

I’d like to findout if is there an article for windows?

Kind Regards,

jota · October 16, 2019, 8:49am

Hi @thabisobux,

You can find a similar thread in this community forum, can you take a look at it?

If you have any questions, could you please create a new topic in this community forum? This way our team can evaluate your configuration and help you to generate the certificates.

Regards

jota · October 16, 2019, 8:49am

vikram-bitnami · December 12, 2019, 9:11am

We have updated our guide at https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/ with information about this point.