400 Bad Request after installing LetsEncrypt SSL on WordPress Multisite installation

Hey there,
I am an old lover of EasyEngine and have used it for dozens of projects. So, first of all, thank you frtCamp for creating EasyEngine.

Most of my WordPress installations are single site installation. Have successfully installed multisite as well but without Let’s encrypt SSL support.

This question is about the issues I am having with WordPress Multisite installation with Subdomain, domain mapping and Let’s Encrypt SSL installation capabilities on each subdomain and mapped domains.

Everything works perfectly. The only issue I am facing is - Whenever I type domain.com or http://domain.com or http://www.domain.com ( all without HTTPS) it shows:

‘400 Bad Request’ ( The plain HTTP request was sent to HTTPS port)

Let me tell you how I did everything so that you can help me:

After setting up EasyEngine on my server, I installed WordPress Multisite with subdomain with fast-CGI like this:

ee site create domain.com --wpsubdom --wpfc

After successful installation, installed domain mapping plugin ( from WPMUDEV), configure it by moving sunrise.php and setting up wp-config.php

In wp-config.php, I write:

define( ‘NOBLOGREDIRECT’, ‘http://www.presspeace.com’ );
define(‘SUNRISE’, ‘on’);

To point my server IP to my primary domain, Added this line to /etc/hosts ( it is needed for proper domain mapping)

43.228.XXX.6 domain.com www.domain.com

After this, I ran:

sudo nginx -s reload

but then I get this error:

unable to resolve host cloudrino

So, to resolve this error, I ran the following command to fix this:

hostname server.domain.com

Uncommented these two lines from etc/nginx/site-available/ as needed for domain mapping:

Uncomment the following line for domain mapping

listen 80 default_server;

server_name presspeace.com   *.presspeace.com;

# Uncomment the following line for domain mapping
server_name_in_redirect off;

Removed “default” configuration from /etc/nginx/sites-enabled


ee stack restart --all
ee clean --all to clear all types of caching.

As of now, everything was working perfectly well, I was able to create new subdomain sites and then map it to external primary domain. So, Now I can open :slight_smile:
domain.com ( primary site)

Now, I started configuring Let’s Encrypt Multiste installation.

Since, Let’s Encrypt officially doesn’t support SSL installtions for each subdmains or mapped domain on a multisite. So, the EasyEngine way of Let’s encrypt installation doesn’t work here.

So, based on tutorial written here: https://easyengine.io/tutorials/nginx/letsencrypt/ and Create SSL with multisite domain mapping?

I installed Let’s encrypt SSl like this:

Ran this command:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Now ran this:

./letsencrypt-auto certonly --webroot -w /var/www/domain.com/htdocs/ -d domain.com -d sub1.domain.com -d mappeddomain1.com -d mappeddomain2.com --email myemail@gmail.com --text --agree-tos

The work was not yet over.

Now, I needed to configure these certificates, based on tutorial: https://easyengine.io/tutorials/nginx/letsencrypt/

I noticed I don’t have any ssl.conf file at /var/www/domain.com/conf/nginx/ssl.conf ( Don’t know why? Do I manually need to create it or have I done any mistake above? )
So, created a new ssl.conf file and added this line here:

listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

I also wanted HTTP to HTTPS redirection , so created force-ssl.conf file at /etc/nginx/conf.d/force-ssl.conf
and add following Nginx config into it:

server {
listen 80;
server_name www.domain.com domain.com;
return 301 https://domain.com$request_uri;

and then at last, reloaded Nginx

nginx -t && service nginx reload

Now when I checked my sites, I noticed that the SSL certificates have been installed correctly on all mapped domain, subdomains and primary domain. So, I was able to open:

https://domain.com ( primary site)

But when I simply tried to write these domains/subdomains without HTTPS, it gave this error:

400 Bad Request

The plain HTTP request was sent to HTTPS port

So, the redirection was not working, I read a lot many articles, tutorials… modified ssl.conf and force-ssl.conf based on it. Tried everything, but still not able to avoid this error.


Here are my code details for various important file type:

This is /etc/nginx/sites-enabled/domain.com or /etc/nginx/sites-available/domain.com

server {

# Uncomment the following line for domain mapping
listen 80 default_server;

server_name presspeace.com   *.presspeace.com;

# Uncomment the following line for domain mapping
server_name_in_redirect off;

access_log /var/log/nginx/presspeace.com.access.log rt_cache; 
error_log /var/log/nginx/presspeace.com.error.log;

root /var/www/presspeace.com/htdocs;

index index.php index.html index.htm;

include common/wpfc.conf;      
include common/wpcommon.conf;
include common/locations.conf;
include /var/www/presspeace.com/conf/nginx/*.conf;
subs_filter http:// https://;


This is /var/www/presspeace.com/conf/nginx/ssl.conf

listen 443 ssl http2;
listen [::]:443 ipv6only=on ssl http2; #add ipv6 support
ssl on;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;


server { listen 80; listen [::]:80; server_name domain.com *.domain.com; return 301 https://$server_name$request_uri; }


Thank you.

For the 10000th time: currently EE does not support multisite + Let’s Encrypt. You are kinda alone with your troubles.

Hey portofacil,

Thank you so much for the response.

Yes, I am aware that currently, EE doesn’t support Let’s Encrypt on Multisite, and I have mentioned this fact in my thread above as well.

But, in no way, I am the only one, who is looking for this or have this trouble. Many users like me are hopefully waiting for any official solution. There are dozens of similar posts here on rtcamp as well as on internet regarding this.

In fact, one very kind user “kingkool68” came with a solution and many other users has succesfully set-up SSL on multisite based on this. Here is the link: Create SSL with multisite domain mapping?

I tried it as well and was successful too, get the SSL work but now my issue is - when I open any non-https links ( like domain.com or http://domain.com ), it displays 400 Bad request error.

You are very experienced developer. If you give it a look. I hope, you can figure out something from it. So, please give it a try.

Thank you,

Sorry, I don’t work as an EE developer. Also, it is a free, open source solution. Anyone could fork the project and fix its errors or weaknesses.

If you are under such pressure, perhaps your best path is hiring a paid developer to work it out.

Demanding a solution for your trouble on a user-to-user forum is inefficient, to say the least.

Hi @portofacil, Thank you again for the response.

No, I am not in any hurry. I am doing this on a test site ( on a test KVM server ) for the learning purpose so that I can be able to set up a multisite with Free SSL configuration for my future project.

Regarding being demanding. Well, if requesting for a solution or using ‘please’ word can be termed as demanding, I take those words back. :slight_smile:

I have been on several forums and have posted thousands of questions. I am fully aware that this is a user-to-user forum, but then user forums are meant to help each other. Isn’t it? I have noticed many other developers are helping each other here. So, asked this.

I have also posted a detailed step-by-step thread here so that other users who are looking for the similar thing, can also benefit from it.

Anyways, I have read your other comments on similar questions as well, and you have mentioned somewhere that you hate multisite ( and have advised others to install single WP rather than looking for complexity of getting SSL on multisite) so, I can totally understand your point of view. :slight_smile:

Since, I am not doing this for any commercial or professional project, so there is no point to invest in hiring a paid developer for it as of now. I will keep posting at various other forums and will also keep looking for someone who can help me here as well. ( WORLD IS BIG, ISN’T IT?)

Thank you for investing time under this thread.

I wish you luck.

Try adding this to /var/www/presspeace.com/conf/nginx/ssl.conf at the bottom:

if ($scheme = http) {
  return 301 https://$host$request_uri;

Then comment out or remove your force-ssl.conf file at /etc/nginx/conf.d/force-ssl.conf, you won’t need it anymore.

After restarting nginx it is helpful to open your site in an incognito window because browsers like to aggressively cache 301 redirects. I went to http://presspeace.com and it seems to be redirecting the way you would expect.

Since you’re talking about domain mapping, you need to include each domain name that you want to point to your server in /etc/nginx/sites-enabled/domain.com or /etc/nginx/sites-available/domain.com

So if you wanted foo.com and example.com you would put

server_name foo.com *.foo.com example.com *.example.com;

Does that make sense? You’re telling nginx to listen to requests from the following domain names defined by server_name

Hello @kingkool68, Thank you so much for the reply.

I slept earlier yesterday as I was able to resolve this issue after trying for last 72 hours and then today morning, I noticed this message of yours which gave me more insight on other things like domain mapping.

What finally worked is very simple. In my above written post, I only had to remove SSL on; from the ssl.conf file and everything started working. So, my final configuration for /var/www/domain.com/conf/nginx/ssl.conf :slight_smile:

listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

One other way which worked is by removing ssl.conf and force-ssl.conf . But then the configuration of This is /etc/nginx/sites-enabled/domain.com and /etc/nginx/sites-available/domain.com should be like this:

`server {
listen 80 default_server; listen [::]:80 default_server ipv6only=on;

# support https and ipv6
listen 443 default_server ssl;
listen [::]:443 ipv6only=on default_server ssl;

server_name presspeace.com   *.presspeace.com;

access_log /var/log/nginx/presspeace.com.access.log rt_cache; 
error_log /var/log/nginx/presspeace.com.error.log;

# path to web directory
root /var/www/presspeace.com/htdocs;
index index.php index.html index.htm;

# domain or subdomain
server_name example.com www.example.com;

# ssl certificate
ssl_certificate     /etc/letsencrypt/live/presspeace.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/presspeace.com/privkey.pem;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;

include common/wpfc.conf;      
include common/wpcommon.conf;
include common/locations.conf;
include /var/www/presspeace.com/conf/nginx/*.conf;


` Credit: http://stackoverflow.com/questions/8768946/dealing-with-nginx-400-the-plain-http-request-was-sent-to-https-port-error

From your very useful thread: Create SSL with multisite domain mapping? , I had already tried adding if ($scheme = http) { return 301 https://$host$request_uri; } But similar to what @Marcel had experienced, it didn’t work for me either :frowning: . Though, I hadn’t necessarily removed force-ssl.conf at that time, so I will try this method again.

I am not sure why it worked after removing ssl ON; Though now I noticed that - when I open non-https links, it opens but doesn’t redirect to https version. Though http version of primary domain ( in this case presspeace.com) redirects successfully to https version. For this I added this to wp-config.php

if ( $_SERVER["HTTP_HOST"] == "presspeace.com" ) { define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true); }

But I am not sure how I can redirect non-http to https and non-www to www on subdomains and mapped domains as well. Can you give me a direct in this line?

Apart from this, regarding renewing and adding SSL for new subsomains and mapped domains. You had said under Create SSL with multisite domain mapping? to change certonly with the word ‘renew’. So, will this work for renewal?

./letsencrypt-auto renew --webroot -w /var/www/presspeace.com/htdocs/ -d presspeace.com -d test.presspeace.com -d mappeddomain.com -d mappeddomain2.com --email themo@gmail.com --text --agree-tos

Do I also need to include www version all these domains, subdomains and mapped domains so that Let’s encrypt SSL can work for both www and non-www versions?

We have used ./letsencrypt-auto above but according to a comment here: https://community.letsencrypt.org/t/certificate-for-www-and-non-www/23965/4, ./certbot-auto is the new official command, ./letsencrypt-auto has been deprecated. Does it make any difference to change this in our above commands?

Now about expanding, suppose I want to add SSL for a new subdomain and mapped domain, do I have to create a new certificate for all our existing and new domains or can we use --expand command like this?

Here is a trick mentioned- https://community.letsencrypt.org/t/certificate-for-www-and-non-www/23965/3. It asks to run this command:

sudo ./certbot-auto certonly --standalone -d originaldomain.com -d www.originaldomain.com -d new.originaldomain.com -d new2.originaldomain.com -d new3.originaldomain.com --dry-run

Do you have any experience in expanding SSL for new domain names? Will I always need to include old domains as well in the command. Isn’t there any way to run a command with new domains only to run?

The main issue has been resolved but if you can further help with these next steps, it will make the full installation perfect.

PS: I have asked @kingkool68 for help through private message and I am so glad that he replied. :slight_smile: Thank you so much Russel. :slight_smile:

Hi @kingkool68 again,

This time, I used your instructions that you had written above and it worked in far more perfect way :slight_smile: There is no 400 Bad error and neither any non-https to https redirection error. All non-https, https , non-www and www links opens to secure https links.

That’s awesome. But one thing I don’t understand. Which code is actually converting or redirecting to non-www HTTPS version? My moto is to get www HTTPS version. I mean everything similar to what I am getting now, just the finaly redirected link should something like https://www.domain.com

I tried this tutorial -https://easyengine.io/tutorials/nginx/www-non-www-redirection/

and added this config and the end of /etc/nginx/sites-enabled/domain.com and /etc/nginx/sites-available/domain.com :

server { server_name "~^(?!www\.).*" ; return 301 $scheme://www.$host$request_uri; }

But it didn’t work. Where am I mistaking?

If you haven’t provided the www. when creating a certificate, it will not work. You need to set everything individually.

Where have you put it?

Hi @hakabe, Thank you for your comment.[quote=“hakabe, post:10, topic:8767”] If you haven’t provided the www. when creating a certificate, it will not work. You need to set everything individually. [/quote]

Yes, I hadn’t provided it when I first created the SSL certificates, but I have additionally added it using this command:

./letsencrypt-auto certonly --duplicate --webroot -w /var/www/presspeace.com/htdocs/ -d presspeace.com -d www.presspeace.com -d test.presspeace.com -d www.test.presspeace.com -d domain2.com -d www.doman2.com -d domain3.com -d www.domain3.com --email them@gmail.com --text --agree-tos --keep

and it asked whether I want to expand my existing certificates or create a new, I chose to expand and then it successfully created addition certificates for the www version as well as any new mapped domain I wanted to add.

Though I noticed that it created a new filename under /etc/letsencrypt/live

The new fle named “presspeace.com-0001” while previously certificates was under “presspeace.com

and hence I have to change ssl.conf accordingly here /var/www/presspeace.com/conf/nginx/ssl.conf

listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/presspeace.com-0002/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/presspeace.com-0002/privkey.pem; if ($scheme = http) { return 301 https://$host$request_uri; }

It woked though:

But why is it creating additional certificate folder ( i.e.: presspeace.com-0001 ) when I am expanding the original certificates it self annd only adding new SANs for the same SSL certificate?

How can I exapand the same certificate so that newer domains can also be included in the old SSL folder ( i.e.: presspeace.com) and I don’t need to change ssl.conf everytime? [quote=“hakabe, post:10, topic:8767”] Where have you put it? [/quote]

I tried putting it at the top and the bottom of my conf file under: /etc/nginx/sites-available/presspeace.com and /etc/nginx/sites-enabled/presspeace.com

Also, tried to change it’s form ( by removing server { … } etc.) and tried adding under stite-available/site-enabled or under ssl.conf as well:

if ( $http_host ~* “(?!www.).”) { rewrite ^ https://www.$host$request_uri permanent; }

It didn’t work properly, and when I tried opening the site like https://presspeace.com, https://www.presspeace.com, presspeace.com or http://presspeace.com , it always displayed URL like this:

https://www.www.presspeace.com ( TWO TIMES WWW)

and hence error on page.

So at this time, the main issue is to redirect all kinds of page ( www or non-www) to www

Also, as above, by adding this code under ssl.conf: if ($scheme = http) { return 301 https://$host$request_uri; } I was able to redirect or force all non-https to https, but what if I want some mapped domains on my multisite to display non-https ( non-ssl) version. How can I fornce non-https on some of the mapped domains ( suppose I want to give my clients - free SSL for mapped domain only under the business plan )

Give it a try.

Thank you.