Archive for January, 2020
Let’s Encrypt certificates with WordPress MultiSite
by Brian on Jan.27, 2020, under Computer Stuff, Linux
Lately, everyone seems to be moving to WordPress. It’s a rock-solid platform for publishing, with a low cost of administration. To securely allow a remote login to your WordPress site, you MUST use an SSL certificate to encrypt the login communications.
I’ve found that LetsEncrypt.org really solves that problem, and with minimal setup required. The biggest catch that I found to using LetsEncrypt.org certificates with my domains was this:
You need a DNS host that supports CAA records. SSLMate publishes a list of those hosts here.
So first, you MAY need to move your authoritative DNS zone to a host that supports CAA records. I’ll wait.
After that, you need a CAA record for the root of your domain name.
It should look something like this:
@ CAA 6h 0 issue “letsencrypt.org”
Once your record is in place, you can validate it using DNSSpy here
Now that your DNS record is answering correctly, it’s time to address the WordPress installation. WordPress can be installed in any number of ways. I usually use Apache2, MySQL, PHP, etc.. A common Linux LAMP stack.
Traditionally, when installing multiple WordPress sites on the same web server, I’d create a separate virtual host and directory for each site. Things have changed, though, and now, I can use WordPress Multisite. This allows(requires that) all of your sites use the same virtual directory. (In most cases, that’s the main web root of your server. On most Linux OSs, that’s /var/www/html )
For a basic WordPress installation, see this link.
For a deep-dive into the WordPress Network creation and enabling Multisite, see this link.
Since Apache2 comes with a default virtual directory and a default virtual host definition that covers the root of the web server, you don’t *need* to add a virtual host directive for each site you add using WordPress Multisite, because WordPress Multisite handles requests for each site. However, if you want to take advantage of a free, auto-renewing 3-month SSL certificate from Let’s Encrypt, you need an Apache virtualhost entry for each site in WordPress Multisite.
So, we’ve just installed WordPress Multisite, and we’ve created our first site of testdomain.com.
In Apache2 on Ubuntu 18, you need to edit 2 files. They are:
/etc/apache2/sites-available/000-default.conf
/etc/apache2/sites-available/000-default-le-ssl.conf
##/etc/apache2/sites-available/000-default.conf##
(this is the default, leave it alone)
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html <- same root for all sites
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
(you’re going to add this for each new site, changing the site name)
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName testdomain.com
ServerAlias www.testdomain.com
DocumentRoot /var/www/html <- same root for all sites
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =testdomain.com [OR]
RewriteCond %{SERVER_NAME} =www.testdomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
##/etc/apache2/sites-available/000-default-le-ssl.conf##
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName testdomain.com
DocumentRoot /var/www/html
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
After you install and run certbot, you’ll see these lines added to the end of each virtual host in the SSL config file above:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/testdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/testdomain.com/privkey.pem