Hi all,
I’m just investigating the best way to handle a custom SSL setup to avoid SSL cert collision or overwrites. We have 2 WP Multisite installs in one wordpress_sites.yml (sharing the same Nginx instance.)
wordpress_sites:
ecom-sites.com:
site_hosts:
...and so on
ssl:
enabled: true
provider: manual
cert: /etc/letsencrypt/live/ecom-sites.com/fullchain.pem
key: /etc/letsencrypt/live/ecom-sites.com/privkey.pem
reg-sites.com
site_hosts:
...and so on
ssl:
enabled: true
provider: manual
cert: /etc/letsencrypt/live/reg-sites.com/fullchain.pem
key: /etc/letsencrypt/live/reg-sites.com/privkey.pem
Since we’re on CFlare we had an issue with Trellis based renewals so switched to using Certbot with DNS-01 (Cloudflare API) and ssl: provider: manual to ensure we can renew origin certs through the proxy.
The issue we hit
Trellis copies manual SSL files during provision using this task:
dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.cert | basename }}"
Our files being named fullchain.pem and privkey.pem by certbot, both sites upon provision ended up writing to, the latter overwiting the former Multisite:
/etc/nginx/ssl/fullchain.pem
/etc/nginx/ssl/privkey.pem
Ultimately breaking access.
We could create one giant certificate that includes all sites but I was wondering if there’s a better way that aligns with Trellis best practices for editing
/trellis/roles/wordpress-setup/tasks/nginx.yml
where it’s currently
dest: “{{ nginx_ssl_path }}/{{ item.value.ssl.cert | basename }}”
possibly modyifing it to:
dest: "{{ nginx_ssl_path }}/{{ item.key }}.cert"
Possible output : /etc/nginx/ssl/ecom-sites.com.cert
Has anyone else worked with editing this file?
Appreciate any insight, though I understand it is perhaps more of a niche occurance. Happy to share more details if helpful.
Thanks
Stephen