Wordpress Multisite + Mapped Domains + LetsEncrypt

Discussion in 'General' started by Thane, Mar 16, 2017.

  1. Thane

    Thane New Member

    Hey everyone! Firstly I would like to say thanks to the ISPConfig devs, great work and MUCH appreciated for everything you do!

    I've been using ISPC for about 2 years, much prefer it over anything else! My use case doesn't take full advantage of ISPC, I just use it for the easy webserver/databaseserver/mailserver administration. I've been using the old Jessie/PHP5/Apache install for a good long while without any problems (thanks to the great ISPConfig tuto's). I host about 10 personal sites of my own, and maybe 40 client sites on my Linode :)

    I just opened up a new VPS using The Perfect Server Ubuntu 16.04/PHP7/Apache, the efficiency increases across the board are awesome so far, the basic install runs around 300MB less ram versus my old install did when I first set it up, and Ubuntu has been easy to learn so far (since most things are the same as Debian, from a noobs perspective anyways)... I set up a few test domains and deployed a few backups of existing sites from my old server, so they are essentially the same site (for testing), the difference in speed scores from GTMetrix were awesome - 1/5th less db queries/50% faster load times (using all default settings for php/sql so that's cool!).

    I'm really excited to begin the grueling move from my old server to the new, but still have a long way to go before I'm ready for that terribleness... So here comes the meat of my thread here, in my quest for optimization I'm looking at moving over to Wordpress Multisite for a number of reasons:
    *Faster page load times: with only 1 set of wp-core files that need to be *fired up* for visitors I'm presuming once all my sites are set up in Multisite that the entire "Network" will run a lot more efficiently versus having 50 separate installs *firing up* on visits.
    * Faster update deployment: I use a lot of similar plugins/themes across the sites I manage, so I figure having a single source to update would be great, much faster to FTP into a single folder and drop the update versus going to 50 folders and doing the same update 50 times.
    * Multisite premo plugins: Many plugins are Multisite compatible, my favorite being Wordfence (its an extra layer of Firewall/Antivirus) - I install the free version on all my sites with a fine-tuned setup, and I run the pro version on my main site and on client sites that want it or have been hacked in the past (at other hosts, so far ISPConfig tuto's have kept my server bulletproof!). Wordfence is Multisite compatible, so I could avoid renewing a good 10 licenses yearly (@ $100/each) just by deploying the network-activated premium Wordfence (allowing all those pro benefits on all the sites).
    *Multisite compatible plugins: many free plugins are Multisite compatible, like my favorite cache W3 Total Cache, which once Network-Activated allows all kinds of cool things to happen, like setting up a single set of caching/minifying rules across all the sites (i imagine the database cache would work wonders on Multisite being that a single database means a single cache for certain queries configed).
    *Wordpress 4.5+ natively supports Domain Mapping, so every site on the Network will have their own Domain Name (essential for keeping url's intact (each multisite subsite is actually its own website) to retain Google ranks and prevent 404's).

    Well, this is getting lengthy so I will stop here on the many benefits of changing to Multisite and get to my problem (we can continue the discussion of pros vs cons as well just to keep activity on this subject going, I'm hoping other people out there may be interested in this setup as well, so maybe we can all share ideas and strategy).

    The problem:
    On my last upgrade for ISPConfig3 I noticed the LetsEncrypt support, I tested it out (too ridiculously easy to do) and WOW, free SSL's for all my sites :D

    So this works perfect with individual installs of Wordpress, but now we come to the Multisite problem... To map domain's to my Multisite requires having the server IP resolve to my main Multisite install (easy enough to do by setting IPV4-Address in the control panel for my main domain that runs the Multisite Network)... So now my domains are mapping to their respective "multisite subsites" perfectly, without adding the domains to ISPConfig (now I just add an A record in my registrars DNS that goes to my IP - which resolves to my Multisite).

    So, how in the world do I get LetsEncrypt SSL's for all these domains? If I add them to ISPConfig in Sites>Websites>Add New Website I can get an SSL generated, but the domain is mapped to my Multisite Network, so how do I get the site to still get handled by Multisite while also being able to enjoy the sweet sweet benefit of ISPCOnfig's easy deployment of LetsEncrypt SSL's?

    I could write a whole other post just as long as this one describing every test/attempt I've tried so far, so I will leave this conundrum up to the community and see if anyone has an idea, plus I'm looking forward to hearing some chatter about Multisite using ISPConfig :)
  2. iNet Specialists

    iNet Specialists New Member

  3. Thane

    Thane New Member

    Hey iNet Specialists,
    Thanks for the reply! Yes I had found and tried the plugin, it had "funny" results. It stores the certificates in the directory "/var/www/clients/client0/web1" or "../letsencrypt and .well-known (both paths are relative to the site's root directory)" - which it doesn't have authority to create a folder in (I couldn't even mkdir there myself as root user).

    So upon activation the plugin starts spitting out errors like nobody's business, filling up error logs for the domain at about 2GB/minute, deleting the error log saves the server from crashing - then logging into ISPConfig and unselecting "has own error logs" from the Website settings page for the domain allows access to the website to come back (the error freezes the 'mother' Multisite entirely). I think I was able to remove the plugin to restore access to the site by deleting the plugin by FTP as well (I tested the plugin many a time, lol)...

    There *is* a mention in the plugin docs that says the default folder for storing certificates can be changed by defining a constant for WP_ENCRYPT_SSL_CERTIFICATES_DIR_PATH in the wp-config.php, I tried to get that to work to no avail (though my inability to write the correct 'constant' could be the reason). So I was unable to test if the plugin would work in Multisite with a ISPC compatible certificate storage directory.

    Incidentally I was browsing this plugin's support area at wp.org and found this post:
    TLDR; The author is putting the development of the plugin on-hold indefinitely and has conceded that there are problems, he *does* use it on his own server (he built it just for Multisite situations) and it's supposed to work, the problem with ISPC with this plugin is something I don't think is easily worked out.

    Any ideas?
    Last edited: Mar 16, 2017
  4. iNet Specialists

    iNet Specialists New Member

    It sounds like WP's inherent need to write to a website's root directory is conflicting with Ubuntu 16.04 enhanced security at the user permission level. It could also be an open_base_dir issue from PHP, so make sure that the path for the open_base_dir also has "/var/www/clients/client0/web1/letsencrypt". You can do that on the Website->Options Tab inside ISPConfig.
    The HTTP server user should be a member of the "client0" group, and it should be OK to grant that group the access to write to a directory above the web root as long as it is isolated.
    You can try using "su" or "sudo" to get the "mkdir" to work as the "web1" user to create the directory.
    Same for changing the permissions on those directories.
    Presumably, the full path of those directories would be something like:
    # cd /var/www/clients/client0/web1
    # su -s /bin/bash web1
    $ mkdir web/.well-known
    $ chmod 775 web/.well-known
    $ mkdir letsencrypt
    $ chmod 771 letsencrypt
    $ exit
    # ls -lh
    Thane likes this.
  5. Thane

    Thane New Member

    Continued semi-irrelevant stuff:
    I'd like a solution that utilizes ISPC resources if possible because I have a lot more faith in continued support with ISPC. I don't really want to convert to full blown Multisite if I don't think it will be viable for at least 1-2 years before needing additional upgrades, this is part of why I'm playing with a new server build using an LTS Linux distro with PHP7, figure it's been 2 years on Debian/PHP5 so it's a good time to 'get with the times'. And just in case some Debian fanboys jump on that statement, lol, I DO love the Debian distro, it's stable and been good for a beginner to Linux (like me), and I'm aware of the ability to add new PHP versions, I actually installed PHP7 on my old server following the ISPConfig tuto's, it's just that changing a site from php5>php7 on that system proved unreliable, the same sites on my new server are actually working on php7 with no problems, so glad to eventually make the migration (after fully exploring the Multisite possibility).

    I'm also not making the move *just* for PHP7, there are other goals like switching from Squirellmail to Roundcube (I'm aware of the tuto's for converting/adding Roundcube to the old setups and just don't feel comfortable messing with that stuff). I'm also interested in seeing if there is an improvement going from mysql to maria, so changing Debian to Ubuntu along with all the other changes/upgrades seemed less daunting considering there are so many other parts of the server/websites possibly changing :)
  6. iNet Specialists

    iNet Specialists New Member

    Well, you are using Apache, so you could also try running WP Multi-site on a single website in ISPConfig (as you have) and then assigning the ServerAlias directive for every domain/sub-domain that the Multi-site responds for. ISPConfig should be able to manage LetsEncrypt for all of the aliases. As long as TLS SNI is working correctly, the correct certs should get attached.
  7. Thane

    Thane New Member

    Hey iNetSpecialists,
    I attempted your suggestions, I tried to add a new open_base_dir to the test domain unsuccessfully, which is why I probably couldn't create the folder on /var/www/clients/client0/web1/

    To add the additional open_base_dir I added this to the custom ini in the Website>Options tab:
    open_basedir /var/www/clients/client0/web1/
    Which was invalid.
    I then attempted adding to the beginning of the existing open_base_dir this:
    Which worked (i guess), but still not able to mkdir in /var/www/clients/client0/web1/

    I then tried your other suggestion (which I'm pretty sure I had fiddled with before, ugh so many hours on this problem). I added the child-site's domain that is fully mapped to it's Multisite home to ISPC as an AliasDomain. At that point nothing really happened, the domain continue's to work within the Multisite (appearing as a standalone normal website on the frontend) but when I try to use https it is showing the certificate for the Multisite Network's main domain (this of course gives an insecure warning).

    In normal Multisite:
    Main-Domain.com <- The main multisite install, where the magic happens.
    Adding a new site to the Network, we'll call it www.Child-Site.com, so initially Child-Site.com looks like this:
    Main-Domain.com/child-site (or) child-site.Main-Domain.com
    Once the multisite 'subsite' is mapped the site can only be accessed through:
    www.Child-Site.com <- It appears to be a normal standalone site, even though it is just a subsite of the Network.

    So mapping domains is the easy part, but if I want to utilize ISPC's LetsEncrypt feature it looks like the only way I can do this is by having it set up in the control panel as a website (so I can then tick the boxes for SSL, then ISPC can do the rest in generating the certificate/etc).

    But if I set the "child site" domain up in ISPC as a website, the domain will continue using the SSL generated for the Main-Domain. If I toggle the child-site's domain as IPv4 to use the server IP, then ISPC will "grab" the domain and bypass the Multisite network and treat any requests for the domain as a normal ISPC website. So I need the Main-Domain to continue resolving to the IP (and vice versa) so the Multisite Network can grab incoming domains (if they're mapped) and dispense files accordingly.

    Hopefully any of that makes sense, it's a mess of a problem (one I could avoid if I had a wildcard or multi-domain SSL for Main-Domain, so all the child-sites I'm adding to the Multisite could use that one SSL without getting a warning, but I don't want to shell out the money for something ISPC can handle perfectly well, if I just give up this dream of a perfect Multisite Network and continue operating with 50 installs of WP).

    Thanks for your input, i appreciate it :)
    till likes this.
  8. iNet Specialists

    iNet Specialists New Member

    I understand the problem. I'm afraid the <VirtualHost> method used by ISPConfig and the Domain Mapping method used by WP Multi-site are just incompatible at the present time.
    I think <VirtualHost> is more secure and manageable, but I can understand not wanting to have 40 WP installs to manage as well.
    Wish I could point to a better solution that worked other than tweaking the permissions and files at the OS level.
  9. Thane

    Thane New Member

    Hey iNet Specialists,
    Yeah that's what I'm thinking too. I appreciate your taking a moment to think on my problem, I spent about 15 hours researching and testing before pulling up my own thread to reach out to the community, was really hoping someone else had experienced the same/similar issue and might have a resolution.

    That's alright though, even with the resource overhead of running 50 installs versus 1 multisite, the server is *still* much more efficient than the old one, so I'll be happy to make the migration and feel confident in another 2 years with ISPC and the server built from the awesome tuto's :)

    If Google didn't roll out changes with its algorithm this year giving preference to site's running https then I'd just go with the working Multisite with mapped domains, but since I started using LetsEncrypt I don't think I can go back to regular http, it's just too cool to get free SSL's so easily and get the little bump in search results from being encrypted :)

    Thanks again for the help, and if anyone else has an idea feel welcomed to chime in, I'll test it out!
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Just add the domains as alias domains of the website in ispconfig that hosts the multisite WP instance, do not add them as websites. All alias domains of a website get included into the LE ssl cert f the website automatically. There is no need for any WP plugins to manage SSL certs.
    ahrasis likes this.
  11. sjau

    sjau Local Meanie Moderator

    Just be aware that LE currently has a limit of 100 FQDNs in a single cert. So domain.tld and www.domain.tld would already be 2 entries.
  12. Thane

    Thane New Member

    Hey Till,
    Thanks for the input! I went ahead and tested to see if that would work (seems legit)... I had tried AliasDomains before, but maybe didn't give ISPC enough time to reconfigure the Certificate. So I set up the AliasDomain in ISPC, the child domain is still not "connecting" to the Main-Domain's SSL. Upon further investigation I was looking at the Certificate in Firefox and under "Certificate>Certificate Fields>Extensions>Certificate Subject Alt Name" there is an entry for the Main-Domain AND an entry for one of the child-sites I have been testing with... So SOMETHING I did managed to bumble its way into getting one of my test child-sites onto my Main-Domain's certificate.

    So my Certificate has these entries now:

    Which is AWESOME, as it is at least a working prototype to getting this dream server setup "perfect"... I mapped child-site2 to the multisite network and it is working beautifully, appearing to be its own standalone site on the frontend (https://child-site2.com) while internally being a subsite in my multisite network :) Now if I could just figure out what mechanism triggered Child-Site2 to be added to the Main-Domain's SSL so that I can replicate the process for the next 50 sites >:|

    I tried turning off Main-Domain's certificate from ISPC, then waiting a few minutes, then re-enabling LE from ISPC hoping that action would trigger a new certificate that included Main-Domain along with it's Alias Domain's attached, no such luck so far... Do you think I need to remove the SSL Certificate off the server manually? Or should ISPC automatically re-adjust my LE Certificate for whatever AliasDomain's are attached?

    sjau: Thanks for the warning! I had read an old article saying that, but it was an older article so I was somewhat hoping that maybe LE had changed its policy about that by now, in any case I only have 50 sites at the moment so that should be fine for at least migrating my existing sites into the multisite network. I think if I end up needing to add another site I will just deploy another multisite network for the next 50 sites :)
  13. Thane

    Thane New Member

    As I've reread my thread here for the 5th or 6th time hoping for an "ah hah" moment, I remembered reading in the forum somewhere about ISPC performing a 'letsencrypt renewal check' on a daily cron... So I'm wondering if I had previously added Child-Site2 as an AliasDomain - and left/forgot about it - then when ISPC did its letsencrypt check managed to set up Child-Site2 on my Main-Domain SSL?

    I've left Child-Site1.com set as an AliasDomain to Main-Domain.com in ISPC, will check tomorrow to see if my presumption is correct and report back here with my findings *cross fingers* :)
  14. Thane

    Thane New Member

    it didn't work, Child-Site1 and Child-Site2 are both Alias Domain's to Main-Domain in ISPC but Child-Site1 still isn't connected to Main-Domain's SSL the way Child-Site2 is... I'm thinking during my hundreds of tests I must have set up Child-Site2.com as some other "thing" in ISPC in order to associate the site as an "alternate name" on Main-Domain's SSL Cert. Now figuring out WHAT I did will be the hard part.

    My next test, I will set up Child-Site1 as a Website in ISPC (without forcing the site to load to it's root directory, it will continue getting grabbed by the Multisite as long as I don't force the site to resolve to my servers IP in Sites>Website>Web Domain>Child-Site1>IPv4 selector dropdown, leaving it as * will allow it to continue being "sucked in" and managed by the Multisite Network).

    In this test I will hope having it set as a Website in ISPC will do the trick, I will leave it overnight again and see what happens and report back tomorrow... Child-Site2 is mapped and using Main-Domain's SSL as an "alternate name" in the SSL Cert, so I *know* this setup will work, I just need to figure out what is making ISPC add the mapped domain's to my Multisite network main Domain's SSL so they all validate properly in the browser... My quest continues...
  15. Thane

    Thane New Member

    I added Child-Site1 as a website in ISPC and checked the boxes for LetsEncrypt, no change (though I should leave it overnight just in case it is part of the renewal cron ISPC initiates daily with LE).

    I incidentally added Child-Site1 as a Sub Domain to Main-Domain, the subdomain is configured as thus: ChildSite1.Main-Domain.com. Upon inspection of Main-Domain's SSL I found this Sub-Domain entry in the SSL's Alt-Name's field, this is significant as I have configured this Multisite Network to "create" child sites as subdomains versus subfolders... This may be a clue as to why Child-Site2 is working, will continue investigating...
  16. Thane

    Thane New Member

    This secondary test has lead to a dead end, I added multiple test Sub Domain's and none of them are getting added to Main-Domain's SSL as Alt Name's, now I'm doubly stumped as to how the first Sub-Domain I added to Main-Domain managed to get added to the certificate near-instantly... For now I will leave Child-Site1 an Alias Domain and see if anything changes by tomorrow.
  17. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    FYKI, I do run a multiple/multitenancy ElkArte forum on an Ubuntu 16.04 Nginx server. Each and every domains are using their own LE SSL. So far I don't have problems with it. I am not sure how you built your server or configure your multiple WP websites, but when I have time, I'll try to read all your posts and see where and how I could help.
  18. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    @Thane, a few comments: when you add a domain or subdomain to a site with letsencrypt, ispconfig will try to add the new name(s) to the certificate via a cron job in a very short time (eg. minutes), you don't have to wait overnight to see if it works or not; the nightly cronjob is to renew existing certificates only. If site2 works but site1 doesn't, check DNS for site1 (and with auto subdomain of 'www' also check DNS of 'www.site1') to ensure it is correct, then give ispconfig a few minutes and assuming it is still not added to the certificate, check the letsencrypt log file to see what's going on. If you truely have done 'hundreds' of tests it's possible you've hit letsencrypt request limits, which should be indicated in the log.
  19. Thane

    Thane New Member

    Hey ahrasis & Jesse,
    Thanks for the input!

    I had considered that possibility of overusing my LE limits, until my last round of test wherein I was able to get a test subdomain added to my Main-Domain's SSL. Now I've removed the Alias-Domains from ISPC for the next test - just having Child-Site1.com set up as a subdomain to Main-Domain.com (not sure if I've done this already, buty I guess worth testing again). 10-mins later = no change.

    Note: Child-Site1 and Child-Site2 both have identical DNS settings.

    Next test:
    Pretty sure I had tested adding the Child domains as a website in ISPC, and as long as I didn't specify a server IP address (leaving it as *) the Multisite continues controlling traffic for the domain, maybe this is the mechanism that added Child-Site2 to my Main-Domain's SSL... 10-mins later = no change.

    I inspected the ISPC log files, nothing of note... Well, plenty of debug info but no errors, it is working as far as adding new certs if I add a new website that's not mapped in my Multisite Network.
  20. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Check /var/log/letsencrypt/letsencrypt.log.

Share This Page