Roots Discourse

Site on Trellis-provisioned DO droplet + Subdom site on 2nd droplet + CloudFlare OC


#1

Scenario:

  1. Trellis/Bedrock site on DO droplet for domain.com:
    • SSL set to cloudflare-origin-ca as per Trellis Cloudflare Origin CA
    • wordpress_sites.yml > cloudflare_origin_ca > hostnames:
      • domain.com
      • '*.domain.com'
    • Certificate life = 15 years
    • CloudFlare SSL = Full (strict)
    • SITE WORKING PERFECTLY! :heart_eyes:
  2. Trellis/Bedrock site on separate DO droplet for subdomain.domain.com:
    • SSL not yet enabled, but needs to be…
    • A Record on CloudFlare DNS of main site pointing to this droplet IP

Question: How should SSL be configured in Trellis for second (subdomain) site/droplet if the goal is:

  • CloudFlare Origin Certificate: Can this subdomain site be included in certificate of main domain? How?
  • If a separate CF OC is required (one dedicated to this site/droplet), can it still be done via automated provisioning within Trellis? How?
  • This subdomain site, and others that may be added, should be fully administered using the same processes and tools as the main site (Trellis, CloudFlare, DO)
  • WordPress Multisite is not an option

The sites in question are high profile, so there’s a tight limit on how much experimentation I can do…


#2

Good morning, all!

Today is my deadline for figuring this our - or giving up and pushing the second site to it’s own domain name, rather than a subdomain.

Any thoughts?


#3

Since both sites will be using the same certificate it should work fine. You MIGHT run into an issue with HSTS but again, same certificate so probably not.

Trellis doesn’t use certificates any differently than any other site, so if this config would work elsewhere, it should work with Trellis.


#4

Thank you for the feedback.

Yes, this is essentially what I’m hoping will happen, but not sure how to implement… Presumably, the subdomain site must also be deployed with SSL enabled, but which provider?

If I use the same provider (CloudFlare), don’t I also have to specify all remaining settings, thereby causing a new certificate to provision? And what would happen to the existing certificate in this case? Is it possible to enable SSL in Trellis without specifying any provider (for the subdomain site), and could this actually be what I need here?


#5

I’m not sure how CloudFlare’s SSL works, but I presumed it was a manual process, as outlined here in the documentation:


#6

My mistake, I missed that you’re using https://github.com/TypistTech/trellis-cloudflare-origin-ca

Have you tried simply provisioning with subdomain.domain.com in the CA config on the subdomain site?


#7

NP. Please clarify your suggestion: Are you asking about using subdomain.domain.com in the hostnames section of the SSL config (likely along with '*.subdomain.domain.com'), with provider = cloudflare-origin-ca, and all remaining settings equivalent to the SSL config for domain.com?

Actually, no, I haven’t tried this because I read elsewhere that this approach cannot work due to the way CloudFlare issues certificates per domain (main domain only, allowing one level of wildcard). Of course, I can’t find that link right now, so I’m not sure I’m even remembering it correctly…

So, I suppose, lacking input to the contrary from anyone else, I will try this tonight despite what I think I’m remembering from elsewhere. I’ll report results here upon success/failure, of course.

Meanwhile, I feel compelled to share that the whole process linked above feels as seamless and elegant as SSL with LE, but we get a 15 year certificate with one less player in the chain. Beautiful work! Thank you @TangRufus!


#8

I wouldn’t think you’d need the wildcard at all on the subdomain.


#9

No matter how many servers/sites you provision, Trellis Cloudflare Origin CA just work!

All you need to do is configuare wordpress_sites to have correct hostnames (or omit it) and re-provision.

This is an example assuming that you have 2 servers, 2 trellis repos:

# The first trellis repo, i.e: the main site

wordpress_sites:
  example.com:
    site_hosts:
      - canonical: example.com
        redirects:
          - www.example.com
    ssl:
      enabled: true
      stapling_enabled: false
      provider: cloudflare-origin-ca
    # The followings are optional
    # Manually "merging" hostnames into wildcards gives you a little bit performance boost
    # Omit them when in doubt, the role will try to figure what hostnames you need
    cloudflare_origin_ca:
      hostnames:
        - example.com
        - '*.example.com'
# The second trellis repo, i.e: the sub sites

wordpress_sites:
  sub.example.com:
    site_hosts:
      - canonical: sub.example.com
        redirects:
          - sub2.example.com
          - sub3.example.com
    ssl:
      enabled: true
      stapling_enabled: false
      provider: cloudflare-origin-ca
    # The followings are optional
    # Manually "merging" hostnames into wildcards gives you a little bit performance boost
    # Omit them when in doubt, the role will try to figure what hostnames you need
    cloudflare_origin_ca:
      hostnames:
        - '*.example.com'

  • SSL cert never shared between web servers
  • SSL cert never leaves its web server (do not attempt to do so)
  • Each web server has its own SSL certs (more than 1 if you deploy multiple sites onto the same server which I do not recommand)
  • If you have multiple web servers for the same site (i.e: behind a load balancer), each server provision its own own SSL certs (1 for each site)
  • Each site has 1 cert on each server, no matter how many domains are pointing to it (canonical & redirects)

For example:

  • Deploying 1 site to 1 web server: 1 cert
  • Deploying 1 site to 3 web servers: 3 certs (all with the same hostnames)
  • Deploying 2 sites to 1 web server: 2 certs (with different hostnames)
  • Deploying 2 sites to 3 web servers: 6 certs

Ansewer to all your questions: Nothing to worry.


#10

FANTASTIC! THANKS!

Everything worked exactly as you described.

And thanks to this exercise, I believe I also have a better understanding now of how and why certificate provisioning works as it does (at least in this sort of scenario). So, thanks for the support AND the education!