I'm in the process of setting up a new instance for wordpress multisite. This will host many different domains, but essentially similar websites. I would like to have SSL on every domain that is mapped.
These domains would be added ad hoc. They are usually only used for a month to a 90 days, and I expect to add 2 to 10 new sites each month.
I will be using a digital ocean instance.
I'm wondering what the best way is to set this up from the beginning to ensure it's done right up front. I've setup multisite before with many domains, but always seem to run into trouble when I need to add another domain. I usually add the domain by adding the -d switch and redo the certificate by adding all the domains and then the new one.
There must be a better way. I would like to have a documented process, but this is not my forte. However, it doesn't seem like it should be super complicated. Even a solid tutorial would be amazing.
The current recommended approach for handling multiple domains is to keep unrelated domains on separate certificates. Keeping subdomains on the same certificate as the registered domain is generally fine, but mixing Example.com and Domain.com on the same certificate is not a good idea, as a single domain failing authorization can break the entire certificate renewal for all.
So, is there some good documentation / tutorials for someone who isn't super technical to understand hwo to set that up that you can reccomend? My problem is that I don't quite know what I'm searching for, but everything I've found so far hasn't seemed to be the right answer.
Would be apache on ubuntu 20 or 21 (I haven't setup yet). Yes I will have root access, not using cpanel or anything like that. Straight up standard digital ocean wordpress droplet.
You have a lot of options. I think it might be better to give an overview of some, so you can think about how you want to approach this and ask focused questions later.
Since you're manipulating cert lineage by adding domains, I assume you either have everything running within a single Apache host/virtualhost block, or are sharing the same cert between different virtualhosts. The better pattern to use is multiple virtualhosts, each with their own certificate.
The basic way is to just create a new VirtualHost in Apache for each domain, and then use Certbot to handle the installation/renewal. You'll find the most documentation and guides for that. Onboarding new domains would just be via the certbot apache command, and you would have a logical partition through the virtualhosts - each one is for a domain with it's own certificate.
A more advanced way is to terminate SSL before anything hits Apache, using something that has "autocert" functionality. An example of this would be running the Caddy webserver on port 80, then just doing a proxypass from Caddy to Apache running on a higher port. (You could run wordpress in Caddy, but if you're already familiar with Apache I'd just keep that and proxy onto it.). If you go that route, then you don't really need to think about the Certificates - caddy does it automatically and you pipe all traffic back into Apache.
There are autocert options for Apache, including mod_md (mod_md - Apache HTTP Server Version 2.5). Nginx also has a handful of autocert extensions, and running Nginx in front of Apache is popular too.
Because autocert can get out of control and hit rate-limits if you're dynamically scaling nodes in a cluster, many autocert have the ability to store/load the SSL certs on a shared volume or in the cloud. That might be something you're interested in.
I hope some of this points you in the right direction.
Wow, thank you so much for the detailed explanation... I don't mind doing a little work and each site is going to require manual intervention anyway, so I think creating virtual hosts with each new addition might make sense... What I'm not sure of is how to do that...
Is this something I can "template" and just edit/name the file accordingly ? ie prep the file on my desktop, upload it ? or do I need to run some scripts/commands?
I found a tutorial on adding virtual hosts... So in the example below... Would I change example.com for each domain including "servername" or would I leave servername the same and use that of the server itself ie: the "main Site"
If all sites will provide the exact same content, then you can use the same DocumentRoot for all of them.
Which means that you could also use one single vhost config and just add all the names (as Aliases).
[but that is NOT recommended]
Correct. You want to have lots of VirtualHosts (a new file for each is typical) and then include them into your main apache config. They can each have almost the same content, except for:
Giving each one their own log files is often recommended too.
It seems like a lot of overlap, but this will allow Certbot to upgrade and manage each virtualhost with a single certificate that holds "example.com" and "www.example.com". Otherwise, you will keep manually editing the domains on a single certificate.
Step 1:
I would need to create 2 vhost files for each domain and put them into the /etc/apache2/sites-enabled folder.. (1 for port 80 and 1 for port 443?) I'm not sure how to name that file... would it be domain1.com.conf and domain1.com-ssl.conf ?
Step 2:
I would need to activate that vhost file bye running a2ensite domain1.com.conf & a2ensite domain1.com-ssl.conf
Step 3:
I'm not sure about this one... I think I would need to leave the default config files as they would map the default domain of the wordpress multisite... or would I just create a new set of conf files for that one too and then run * sudo a2dissite 000-default.conf & * sudo a2dissite 000-default-le-ssl.conf ?
Step 4:
Restart apache by running sudo systemctl restart apache2
Step 5 run certbot for the new domain... Which I will dig into a bit more once I master the above
certbot can setup the SSL vhost [if one doesn't exist and you call it with --{nginx|apache}]
But you can also create the SSL vhost by hand and certbot will only insert/verify the lines needed.
OR
You can call certbot with certonly and it will not even look at the SSL vhost config.
So when you say certbot will only add the lines in that it needs, if I create an ssl vhost and the certificate lines aren't in there, it will add them in. That was the part that I noticed after my step by step post.
So in theory, I can create a shell which contains most of what it needs and certbot will fill in the blanks so to speak that are a result of using certbot.
i tried with the conf file being placed in the sites enabled... That didn't work. But when i had the conf file in sites available, it then worked. Am I doing something wrong?
The /sites-available/ files are NOT normally included into the config.
Not without doing: a2ensite conf-file-name
Check your main config for include statements [to see which folders are included].