Wordpress Multisite + Mapped Domains + LetsEncrypt

Discussion in 'General' started by Thane, Mar 16, 2017.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am using this as well and created LE SSL certificates for each of the alias domains. I think LE will not limit the certificates this way, but I may be wrong.
     
  2. Thane

    Thane New Member

    @Jessie
     
  3. Thane

    Thane New Member

    Ahrasis,
    Hmmm, so Alias Domain's is working for you doing this setup aye? I suppose I shall give that another try then. This time I will make an attempt using a third test domain. Does it matter what order I set this up? My last tries I started by creating a new subsite in my Multisite Network, then I mapped it to its www.Child-Site.com domain, then I twiddled with it in ISPConfig. Should I be adding it as an Alias Domain before mapping it out and creating the Subsite? I will begin testing a third Child Site now...
     
  4. Thane

    Thane New Member

    Update:
    So stumped. here is the last tidbit of the most recent test letsencrypt.log:
    2017-03-21 02:06:08,803:DEBUG:letsencrypt.cli:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')()
    File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1986, in main
    return config.func(config, plugins)
    File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 706, in obtain_cert
    _, action = _auth_from_domains(le_client, config, domains, lineage)
    File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 457, in _auth_from_domains
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
    File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 252, in obtain_certificate
    return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
    File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 229, in obtain_certificate_from_csr
    authzr)
    File "/usr/lib/python2.7/dist-packages/acme/client.py", line 319, in request_issuance
    headers={'Accept': content_type})
    File "/usr/lib/python2.7/dist-packages/acme/client.py", line 652, in post
    return self._check_response(response, content_type=content_type)
    File "/usr/lib/python2.7/dist-packages/acme/client.py", line 568, in _check_response
    raise messages.Error.from_json(jobj)
    Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: Main-Domain.com​

    Not sure if that means I can't add any more alt-names for Main-Domain's SSL? Incidentally while I was setting up Child-Site3.com in the Multiste + adding it as an Alias-Domain something threw my Main-Domain LE SSL out of whack, had to restart Apache2 and reset my Main-Domain SSL, so the last bit of that log file is probably info about LE trying to give me my old cert back... Also, a long ways up the log file there is a bunch of stuff about Child-Site3, nothing that made any sense as far as errors though :/

    The quest continues...
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Just make sure you can publicly access your alias domain before ticking/applying for its LE SSL certificate.
     
  6. Thane

    Thane New Member

    Pretty sure I've run against LE's rate limiting so I'll be unable to continue testing until next week. Unless I plop down another domain on a new Multisite install to continue testing, lol... i think I'll wait.

    So as long as the rate limiting has been the factor causing me all these problems, my next question will be how many domains can i stick on my Main-Domain SSL before hitting the next wall of limits. I've ready that SANs are limited to 5 per week, not sure if that means the www-version + non-www version or no, in either case looks like I'll only be able to add a potential-maximum of 5 domains per week (unless the ww/non-ww versions count as 2 domains, in that case I would only be able to bring 2 sites into the network per week.).

    Will begin testing next week after my limits are refreshed and report back :)
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That is sure enough.

    You don't need to use main domain. You can always create one subdomain for testing and other subdomains as its aliases.
     
  8. Thane

    Thane New Member

    SUCCESS! IT WORKED!

    So I continued messing with different settings, started preemptively migrating sites from my old server just to get that slight hurdle out of the way... After migrating the fourth site into my Multisite Network I started getting anxious about the SSL situation again, so the poking around started back up :)

    It took a lot of experimentation with the LE logs (/var/log/letsencrypt), mostly figuring out what the debugs meant. The last time i fiddled with this setup I was getting the "too many requests" errors, this time around I started getting all new errors (or sometimes the log would contain information stating everything went perfect, except https still wasn't working and in some cases was erroring.). I guess it should be worth noting that before I fell into this final test I did upgrade ISPConfig from 3.1dev (the version installed following The Tuto) to ISPConfig 3.1.2.

    The final solution:
    First, I *unticked* the checkboxes for SSL/LetsEncrypt from my Main-Domain website inside ISPConfig.
    Then I made sure the domain's for my "networked child sites" were fully mapped and working (running http).
    Then I went to /etc/letsencrypt/ and deleted everything inside the folders:
    • /archive
    • /csr
    • /keys
    • /live
    • /renewal
    Next I went back to the website settings in ISPConfig and *re-checked* the checkboxes for SSL/LetsEncrypt... Anxiously wait for the LE log to update - download the log - open - go to bottom - SUCCESS. Now the real test, I open up my Main-Domain.com in Firefox using https, it works as usual but now I want to see if the latest test has done anything about the Subject Alternate Names on Main-Domain's SSL Cert... I open the Certificate and hit the Details tab, scroll down to Subject Alt Names in the Certificate Fields section and HAZZAH!! My Main-Domain and all of it's Child-Site Domain's are listed in both www/non-www format matching up perfectly with the entries I have in ISPConfig's AliasDomain section :D

    Conclusion:
    I guess it would be more fruitful to take things slower when testing new configurations, the first few days of testing on my own I must have locked myself from continued use of LetsEncrypt (I had 50+ CSR's in the LE folder lol), I wasn't sure of the Rate Limits when I was testing but it would have been helpful info to know to avoid the mess of confusion I was about to experience. All in all, it was a fun adventure and as always I learned a lot more about ISPConfig/Linux/LetsEncrypt so going through this all of this was definitely worth it. The next step in this server's future life will be optimizing MariaDB/PHP7 and running through a good VPS Hardening tuto. I'm still a little worried about what the rate limits will mean as far as migrating all my sites, if I can only do a handful at a time or if I'll be able to pull 10/20 per week, but it will be worth it I'm sure! For now, I'm going to go back to my regular routine of work since I've been slacking off from my regular duties in order to work on this new server build, I'll be back at it sometime soon to finish the migration and set up a few more tweaks (like figuring out how to enable Roundcube's 'password' plugin so it is compatible with ISPC.).

    Thanks to everybody that helped, and good-luck to anybody in the future that these records may help! If anybody has any additional input or suggestions to my setup feel welcomed to chime in, I have an account here now so I plan to help others if/when possible and will definitely monitor this thread for any activity :)
     
    till and ahrasis like this.

Share This Page