Letsencrypt on multisite setup

Hello all!

I’m moving my entire multisite setup to an Easyengine solution, and was wondering what is the best approach to get HTTPS on all subsites (individual domains) with letsencrypt?

Best, Emil

Currently, Easyengine is not capable of doing so. you can tinker around and find a workaround. Personally I feel that it is a good feature to have. let’s start a discussion here, and if the many people think that this feature is necessary, we can add this feature in the next version.

I hate multisite, but yes, a lot of people will want it. :slight_smile:

I would suggest checking WP Encrypt, a WordPress plugin that handles certificate origination and renewal and even works on multi-site installations (although not with domain mapping). You will need to add the recommended conf additions during their setup to your site’s nginx setup (usually under site.com/conf/nginx/ssl.conf) and reload nginx, but this provides a great solution for many sites that need this built in.

1 Like

Of course this is must have feature. I tried to move all my websites to SSL and get this problem. I am using Multisite and domain mapping.

Yes, this feature would be very useful.

How can I do it manually without losing anything already created by easyengine?

Please work on it. I need an official solution for this.

Though based on various tutorial, I had tried to install Lets Encrypt SSL on multisite with subdomain and domain mapping and it ACTUALLY WORKED!! But, in the same setup, when I open domain with htpps ( like domain.com or http://domain.com ), it gives me 400 BAD REQUEST error saying:

The plain HTTP request was sent to HTTPS port.

I have written all my setup configuration in detail here: 400 Bad Request after installing LetsEncrypt SSL on WordPress Multisite installation

If you have some programming skills, please give it a look to resolve this 400 bad request error issue.

Thank you.

Done in 10 steps on Debian by https://github.com/ddur (me)

  1. ee site create example.com --wpsubdomain -le

  2. chown /var/www/example.com/htdocs/.well-known owner from root to www-data (writeable by server)

  3. create /var/www/example.com/letsencrypt/live/ with www-data owner (writeable by server)

  4. install wp-encrypt plugin (https://wordpress.org/plugins/wp-encrypt/)

  5. Configure

  6. Register account

  7. Generate certificate

  8. cd /etc/letsencrypt/live/example.com, edit symlinks to point to new destination cert.pem => /var/www/example.com/letsencrypt/live/example.com/cert.pem chain.pem => /var/www/example.com/letsencrypt/live/example.com/chain.pem fullchain.pem => /var/www/example.com/letsencrypt/live/example.com/fullchain.pem privkey.pem => /var/www/example.com/letsencrypt/live/example.com/private.pem

  9. cd /etc/nginx/conf.d/ edit force-ssl-example.com.conf

server { listen 80; server_name example.com *.example.com;

root /var/www/example.com/htdocs;

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";

location / {
	return 301 https://$host$request_uri;


  1. service nginx restart

Now you are ready to add subdomains from WordPress network administration panel, and generate new certificate with all new subdomains. Do not forget to restart Nginx again after changes.


Works fine here. Thanks a lot!

1 Like

I did exactly what you wrote… Now my subdomain’s ssl isn’t working…

Have a look at the main site and the sub site

Can you tell me what went wrong?

Thank you…

If everything went fine, without errors , you need to restart Nginx after all.

I can guess few possible errors

  1. Nginx server has not yet loaded new certificate, restart it.
  2. Nginx is still reading old ee certificate, you did something wrong.
  3. You did all right but new certificate has not subdomain in it

If plugin request for certificate failed, you have plugin version that is trying to get certificates for

shuvo.rocks www.shuvo.rocks blog.shuvo.rocks www.blog.shuvo.rocks

In that case, (if getting certificate for www version failed), edit


and comment out line 303 #$all_domains[] = ‘www.’ . $addon_domain;

Then request certificates again (and continue as described)

Bookmarked; lately, i have moved to Ubuntu due to outdated Debian support from EE; will try once there’s and update for stretch.