Wordpress Multisite with Conditional SSL Certificates

adleviton · January 26, 2023, 2:48am

I have a Wordpress multisite with each site having its own unique domain (not subdomains … different domain for each site). Is there a way in Trellis to handle/upload a certificate for each of these sites?

swalkinshaw · January 26, 2023, 9:54pm

I believe it should be the same for separate domain as it would be for subdomains which is documented here: Multisite | Trellis Docs | Roots

The example is for subdomains:

site_hosts:
  - canonical: example.com
    redirects:
      - www.example.com
  - canonical: subdomain.example.com
    redirects:
      - www.subdomain.example.com

But it would work the same for unique domains:

site_hosts:
  - canonical: example1.com
    redirects:
      - www.example.com
  - canonical: example2.com
    redirects:
      - www.example2.com

adleviton · January 29, 2023, 2:35am

I should have mentioned I’m attempting to do this without letsencrypt since it’s a CloudFlare situation. I could move forward either by switching off CloudFlare and using LetsEncrypt, or using CloudFlare’s “flexible” SSL setting.

I decided to explore this anyway. What I’m attempting is an NGINX conf like below:

map $ssl_server_name $certfile {
domain1.com    /etc/nginx/ssl/domain1.cert;
domain2.com    /etc/nginx/ssl/domain2.cert;
domain3.com    /etc/nginx/ssl/domain3.cert;
}
map $ssl_server_name $keyfile {
domain1.com    /etc/nginx/ssl/domain1.key;
domain2.com    /etc/nginx/ssl/domain2.key;
domain3.com    /etc/nginx/ssl/domain3.key;
}

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  server_name domain1.com domain2.com domain3.com;

  ...

  # SSL configuration
  include h5bp/directive-only/ssl.conf;
  ssl_buffer_size 1400; # 1400 bytes to fit in one MTU

  add_header Strict-Transport-Security "max-age=31536000; ; ";
  ssl_certificate         $certfile;
  ssl_certificate_key     $keyfile;

  ...
}

But I’m getting an error:

2023/01/28 21:18:23 [error] 99989#99989: *386 cannot load certificate "/etc/nginx/ssl/domain1.cert": BIO_new_file() failed (SSL: error:8000000D:system library::Permission denied:calling fopen(/etc/nginx/ssl/domain1.cert, r) error:10080002:BIO routines::system lib) while SSL handshaking, client: 162.158.62.137, server: 0.0.0.0:443

If anyone has insight, much appreciated.

strarsis · January 29, 2023, 6:41pm

The nginx process cannot read the cert file, as it doesn’t have sufficient permissions.
Security-related files as certificate-related files are usually much more locked down.

Ensure the file modes of the certificate files in your more customized setup reflect those used by Trellis for the certificate cert and key files, so nginx can use them:

github.com

roots/trellis/blob/c87f5026686df8bb28f8d55e38b998f5b78a9d62/roles/wordpress-setup/tasks/nginx.yml#L6


      
          ---
          - name: Copy SSL cert
            copy:
              src: "{{ item.value.ssl.cert }}"
              dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.cert | basename }}"
              mode: '0640'
            loop: "{{ wordpress_sites | dict2items }}"
            loop_control:
              label: "{{ item.key }}"
            when: ssl_enabled and item.value.ssl.cert is defined
            notify: reload nginx
          
          
- name: Copy SSL key
            copy:
              src: "{{ item.value.ssl.key }}"
              dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.key | basename }}"

github.com

roots/trellis/blob/c87f5026686df8bb28f8d55e38b998f5b78a9d62/roles/wordpress-setup/tasks/nginx.yml#L17


      
            loop: "{{ wordpress_sites | dict2items }}"
            loop_control:
              label: "{{ item.key }}"
            when: ssl_enabled and item.value.ssl.cert is defined
            notify: reload nginx
          
          
- name: Copy SSL key
            copy:
              src: "{{ item.value.ssl.key }}"
              dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.key | basename }}"
              mode: '0600'
            loop: "{{ wordpress_sites | dict2items }}"
            loop_control:
              label: "{{ item.key }}"
            when: ssl_enabled and item.value.ssl.key is defined
            notify: reload nginx
          
          
- import_tasks: "{{ playbook_dir }}/roles/common/tasks/disable_challenge_sites.yml"
          
          
- name: Create Nginx available sites
            template:

adleviton · January 29, 2023, 11:58pm

I double checked all the permissions, and my custom Trellis tasks were literally copied from the ones you shared. For some reason, using a variable in an SSL file path just wasn’t working with CloudFlare. And variables are allowed.

I ended up making a server block for each site, which seems to be the recommended way anyway, and it worked (and I should mention it’s working with the exact same SSL certs & keys that failed when I was using a variable in the file path).

Very strange, but I got it working and accomplished what I set out to do. Thanks for the prompt responses!