Wordpress Multisite with Conditional SSL Certificates

I have a Wordpress multisite with each site having its own unique domain (not subdomains … different domain for each site). Is there a way in Trellis to handle/upload a certificate for each of these sites?

I believe it should be the same for separate domain as it would be for subdomains which is documented here: Multisite | Trellis Docs | Roots

The example is for subdomains:

  - canonical: example.com
      - www.example.com
  - canonical: subdomain.example.com
      - www.subdomain.example.com

But it would work the same for unique domains:

  - canonical: example1.com
      - www.example.com
  - canonical: example2.com
      - www.example2.com
1 Like

I should have mentioned I’m attempting to do this without letsencrypt since it’s a CloudFlare situation. I could move forward either by switching off CloudFlare and using LetsEncrypt, or using CloudFlare’s “flexible” SSL setting.

I decided to explore this anyway. What I’m attempting is an NGINX conf like below:

map $ssl_server_name $certfile {
domain1.com    /etc/nginx/ssl/domain1.cert;
domain2.com    /etc/nginx/ssl/domain2.cert;
domain3.com    /etc/nginx/ssl/domain3.cert;
map $ssl_server_name $keyfile {
domain1.com    /etc/nginx/ssl/domain1.key;
domain2.com    /etc/nginx/ssl/domain2.key;
domain3.com    /etc/nginx/ssl/domain3.key;

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  server_name domain1.com domain2.com domain3.com;


  # SSL configuration
  include h5bp/directive-only/ssl.conf;
  ssl_buffer_size 1400; # 1400 bytes to fit in one MTU

  add_header Strict-Transport-Security "max-age=31536000; ; ";
  ssl_certificate         $certfile;
  ssl_certificate_key     $keyfile;


But I’m getting an error:

2023/01/28 21:18:23 [error] 99989#99989: *386 cannot load certificate "/etc/nginx/ssl/domain1.cert": BIO_new_file() failed (SSL: error:8000000D:system library::Permission denied:calling fopen(/etc/nginx/ssl/domain1.cert, r) error:10080002:BIO routines::system lib) while SSL handshaking, client:, server:

If anyone has insight, much appreciated.

The nginx process cannot read the cert file, as it doesn’t have sufficient permissions.
Security-related files as certificate-related files are usually much more locked down.

Ensure the file modes of the certificate files in your more customized setup reflect those used by Trellis for the certificate cert and key files, so nginx can use them:

I double checked all the permissions, and my custom Trellis tasks were literally copied from the ones you shared. For some reason, using a variable in an SSL file path just wasn’t working with CloudFlare. And variables are allowed.

I ended up making a server block for each site, which seems to be the recommended way anyway, and it worked (and I should mention it’s working with the exact same SSL certs & keys that failed when I was using a variable in the file path).

Very strange, but I got it working and accomplished what I set out to do. Thanks for the prompt responses!

1 Like