Trellis/Bedrock site on separate DO droplet for subdomain.domain.com:
SSL not yet enabled, but needs to be…
A Record on CloudFlare DNS of main site pointing to this droplet IP
Question: How should SSL be configured in Trellis for second (subdomain) site/droplet if the goal is:
CloudFlare Origin Certificate: Can this subdomain site be included in certificate of main domain? How?
If a separate CF OC is required (one dedicated to this site/droplet), can it still be done via automated provisioning within Trellis? How?
This subdomain site, and others that may be added, should be fully administered using the same processes and tools as the main site (Trellis, CloudFlare, DO)
WordPress Multisite is not an option
The sites in question are high profile, so there’s a tight limit on how much experimentation I can do…
Since both sites will be using the same certificate it should work fine. You MIGHT run into an issue with HSTS but again, same certificate so probably not.
Trellis doesn’t use certificates any differently than any other site, so if this config would work elsewhere, it should work with Trellis.
Yes, this is essentially what I’m hoping will happen, but not sure how to implement… Presumably, the subdomain site must also be deployed with SSL enabled, but which provider?
If I use the same provider (CloudFlare), don’t I also have to specify all remaining settings, thereby causing a new certificate to provision? And what would happen to the existing certificate in this case? Is it possible to enable SSL in Trellis without specifying any provider (for the subdomain site), and could this actually be what I need here?
NP. Please clarify your suggestion: Are you asking about using subdomain.domain.com in the hostnames section of the SSL config (likely along with '*.subdomain.domain.com'), with provider = cloudflare-origin-ca, and all remaining settings equivalent to the SSL config for domain.com?
Actually, no, I haven’t tried this because I read elsewhere that this approach cannot work due to the way CloudFlare issues certificates per domain (main domain only, allowing one level of wildcard). Of course, I can’t find that link right now, so I’m not sure I’m even remembering it correctly…
So, I suppose, lacking input to the contrary from anyone else, I will try this tonight despite what I think I’m remembering from elsewhere. I’ll report results here upon success/failure, of course.
Meanwhile, I feel compelled to share that the whole process linked above feels as seamless and elegant as SSL with LE, but we get a 15 year certificate with one less player in the chain. Beautiful work! Thank you @TangRufus!
All you need to do is configuare wordpress_sites to have correct hostnames (or omit it) and re-provision.
This is an example assuming that you have 2 servers, 2 trellis repos:
# The first trellis repo, i.e: the main site
wordpress_sites:
example.com:
site_hosts:
- canonical: example.com
redirects:
- www.example.com
ssl:
enabled: true
stapling_enabled: false
provider: cloudflare-origin-ca
# The followings are optional
# Manually "merging" hostnames into wildcards gives you a little bit performance boost
# Omit them when in doubt, the role will try to figure what hostnames you need
cloudflare_origin_ca:
hostnames:
- example.com
- '*.example.com'
# The second trellis repo, i.e: the sub sites
wordpress_sites:
sub.example.com:
site_hosts:
- canonical: sub.example.com
redirects:
- sub2.example.com
- sub3.example.com
ssl:
enabled: true
stapling_enabled: false
provider: cloudflare-origin-ca
# The followings are optional
# Manually "merging" hostnames into wildcards gives you a little bit performance boost
# Omit them when in doubt, the role will try to figure what hostnames you need
cloudflare_origin_ca:
hostnames:
- '*.example.com'
SSL cert never shared between web servers
SSL cert never leaves its web server (do not attempt to do so)
Each web server has its own SSL certs (more than 1 if you deploy multiple sites onto the same server which I do not recommand)
If you have multiple web servers for the same site (i.e: behind a load balancer), each server provision its own own SSL certs (1 for each site)
Each site has 1 cert on each server, no matter how many domains are pointing to it (canonical & redirects)
For example:
Deploying 1 site to 1 web server: 1 cert
Deploying 1 site to 3 web servers: 3 certs (all with the same hostnames)
Deploying 2 sites to 1 web server: 2 certs (with different hostnames)
And thanks to this exercise, I believe I also have a better understanding now of how and why certificate provisioning works as it does (at least in this sort of scenario). So, thanks for the support AND the education!