How to add a subdomain or mapped domain to a MS installation secured with Let's encrypt

Hi, since it took me some time to figure out how to add secured subdomains and mapped domains to an MS install, I thought this might helpful to somebody else, so here it is.

Assuming the WP MS installation is running on and we are adding

#create subdomain / domain to map with php and letsencrypt certificate
ee site create --php --le

This will create a secured php site, that we now need to direct to the MS installation while insuring the LE certificate can be renewed automatically. So now:

#edit the site to allow for automatic let's encrypt renewal
ee site edit

On the configuration file, change

    root /var/www/;


    root /var/www/;

    #entry to allow for automatic letsencrypt certfificate updates
    location ~ /\.well-known{
        allow all;
        root /var/www/;

TEST That everything is running as expected.

Let me know if it works for you or you have better configuration suggestions!


PS. a probably better way to make sure you configured everything correctly is installing let’s encrypt last:

    ee site create --php
    ee site edit
    ee site update --le
1 Like

Thanks this will be helpful ! Instead of using directly letsencrypt to do it .

An additional consideration: When editing the new domain configuration file, we should probably also add the line

include common/wpcommon.conf;

Hi. I’ve used your workaround a thousand times. I’ve now moved to a more all-inclusive approach modifying this line [with the ADDITION comment] in /etc/nginx/common/locations.conf only once when installing ee on a new server:

# Security settings for better privacy
# Deny hidden files
location ~ /\.well-known {
  allow all;
  root /var/www/$http_host/htdocs/; #ADDITION

This way the only change I have to make when I do ee site edit is the webroot, without having to go back to this howto, copy the location block, and paste it in. I know the locations.conf file will be overwritten if I update ee, but it’s worth it for me until they figure this thing out officially.

Also, I agree adding include common/wpcommon.conf; might be a good idea as you were saying.

Thank you for your work.


Wow, Thank you @nikksno, very clever, awesome improvement

Hi, what about for the subdomain here? We know that for WPMS (Subdomain) installation, to create a new site is from WP Network Admin Panel.

Then how to do the tutorial you provide? It’s unclear for me, and need help :frowning:


@nikksno , I was having trouble enabling SSL in some instances because the $http_host variable was returning for a non-existent folder (/var/www/ when LetsEncrypt was checking domain with www

Here is the solution I came up with:

location ~ /\.well-known {
  set $well_known_host $http_host;      #ADDED
  if ($well_known_host ~* ^www.(.*)){   #ADDED
    set $well_known_host $1;            #ADDED
  }                                     #ADDED
  allow all;
  root /var/www/$well_known_host/htdocs/; #CHANGED

Hope it is helpful for someone!

It’s probably working but you can use something simpler :

  1. change /var/www/html folder owner to www-data
chown -R www-data:www-data /var/www/html
  1. Use this folder for all your domains with the alias directive.
location ~ /\.well-known {
     alias /var/www/html/.well-known;

Very cool, simplicity is beautiful and if is evil :grinning:

Hey again @santiazpi. I have stopped using multisite WP as EE makes it so simple to make every site independent of each other, but I remember having this problem when I was still using them. This perfectly fixes that. Great work! Thanks for sharing back!

Thanks to you too @virtubox