Best practice for installing wildcard certificate on multisite? (from commercial certificate authority, not Let's Encrypt)

denny · September 23, 2018, 8:13am

I currently have a multisite subdomain install with a wildcard certificate running on ServerPilot and interested to move to EE to have more control over automation. I’m curious to know if there’s a best practice for installing such a third-party certificate on top of the multisite install in EE? I searched around the forums but didn’t see anything so forgive me if I missed it.

We also do custom domain mapping for customers when they push their sites live, so I’d like to be able to continue to use the excellent acme script by @virtubox for installing LE scripts for those custom domains. (We’ll create a dummy placeholder site for each domain so that acme.sh will recognize it, but then just symbolic link the htdocts directory to the htdocs directory of main multisite install).

I appreciate any thoughts or insight you might have!

kingkool68 · September 24, 2018, 8:59pm

EasyEngine v3 doesn’t support wildcard or multi domains out of the box. You would probably be better off just installing certbot yourself with one of the DNS plugins used to verify the domains before issuing wildcard certificates --> https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx

Instead of creating dummy sites and symlinking you can edit the nginx conf file of your multisite site (sudo ee site edit yoursite.com) and add the additional domain names under the server name section.

Here is mine:

server_name
     root.russellheimlich.com *.root.russellheimlich.com
     russellandkristina.com www.russellandkristina.com *.russellandkristina.com
     zadieheimlich.com www.zadieheimlich.com *.zadieheimlich.com
     veraheimlich.com www.veraheimlich.com *.veraheimlich.com
     tweets.kingkool68.com *.tweets.kingkool68.com;

Certbot added the necessary SSL configuration values when I ran sudo certbot --nginx

  ssl_certificate /etc/letsencrypt/live/russellheimlich.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/russellheimlich.com/privkey.pem; # managed by Certbot

denny · September 25, 2018, 3:57pm

Thanks @kingkool68! I’ll look into the certbot stuff.

Re: editing nginx conf vs symlinking:

Would this cause us to run into the 100 domain/alias limit on Let’s Encrypt when authorizing new domains? I’m unsure of how the acme.sh script interfaces with LE in that regard, but being able to generate separate certs for individual custom domains is a concern (www.domain.com and domain.com on same cert is OK)
Are there any performance/scalability implications with having a huge server_name block in nginx?

Thanks a ton for your reply and appreciate any additional info you can contribute

kingkool68 · September 25, 2018, 4:25pm

If you’re concerned about hitting the 100 domain/alias limit then setting up separate sites would probably be the smart way to go.

I don’t know if it is a nginx best practice or something EasyEngine does but the site configs are in /etc/nginx/sites-available/ and /etc/nginx/sites-enabled/ contains a symlink to the conf in /etc/nginx/sites-available/ to turn sites on and off. Here is a complete example:

server {

    # Uncomment the following line for domain mapping
    listen 80 default_server;

    server_name
     root.russellheimlich.com *.root.russellheimlich.com
     russellandkristina.com www.russellandkristina.com *.russellandkristina.com
     zadieheimlich.com www.zadieheimlich.com *.zadieheimlich.com
     veraheimlich.com www.veraheimlich.com *.veraheimlich.com
     tweets.kingkool68.com *.tweets.kingkool68.com;

    # Uncomment the following line for domain mapping
    #server_name_in_redirect off;

    access_log /var/log/nginx/root.russellheimlich.com.access.log rt_cache_redis;
    error_log /var/log/nginx/root.russellheimlich.com.error.log;


    root /var/www/root.russellheimlich.com/htdocs;

    index index.php index.html index.htm;

    # include common/php7.conf;
    include common/redis-php7.conf;
    include common/filename-rewrites.conf;

    include common/wpcommon-php7.conf;
    include /var/www/root.russellheimlich.com/conf/nginx/*.conf;
    include common/locations-php7.conf;

    ssl_certificate /etc/letsencrypt/live/russellheimlich.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/russellheimlich.com/privkey.pem; # managed by Certbot
}

You could set up a new conf file for each domain that changes the root path to the directory of your main multisite install. Each site would get its own SSL cert which would live in /etc/letsencrypt/live/ and would just need to be referenced in the nginx config.

I don’t know if EasyEngine will help in making this easier. You could probably script something up to make it easy to add a new domain and update everything.

Here is what nginx has to say about huge server_name blocks: http://nginx.org/en/docs/http/server_names.html#optimization Seems like you would be fine until the block is too big to fit in the CPU’s L1 cache.

denny · September 25, 2018, 6:45pm

Thanks for the ideas @kingkool68, you rock. Love these forums, everyone is always willing to go above and beyond.

system · November 9, 2018, 1:52pm