SSL certificates, oh SSL certificates. Where to begin? These little certificates help hold the big web securely together to protect websites. But they are finicky. Reclaim Hosting uses Let’s Encrypt across our infrastructure and using it on Reclaim Cloud was a no-brainer. Jelastic partners with Let’s Encrypt to bring SSL certificates as an addon to most environments.
This week was all about SSL certificates. And continuing on-trend with Reclaim Cloud learning, specifically using a custom wildcard SSL certificate for a few WordPress Multisite’s Reclaim Hosting manages.
I’d always issued SSL certificates through Let’s Encrypt in cPanel or within the Addon feature in Reclaim Cloud. Let’s Encrypt makes it super easy to work with the SSL certificates by provisioning and renewing automatically.
Let’s Encrypt Addon
Sometimes though, the SSL certificate doesn’t provision properly. So a quick tip I found (thanks to Goutam!) you can add your custom URL to the Let’s Encrypt add-on. So while your URL is active and online, Let’s Encrypt will need a “refresher” to issue the certificate to that particular URL.
If the URL is not listed you can add it to the external domains section and apply the setting. You will need to update the SSL certificate from here.
The next option through Reclaim Cloud for SSL is a custom SSL certificate. You can purchase the SSL certificate from an external company and work with that with your environment. I found that the SSL documentation on Jelastic was super helpful in this capacity. We recently had to add an SSL certificate to cover a wildcard subdomain, for a WordPress multisite.
The custom SSL certificate needs 3 items to implement, a server key, intermediate certificate, and the domain certificate.
First, we needed to generate the certificate signing request (CSR). This is done through a program like OpenSSL and it runs through the WebSSH feature for the environment. Once we have the CSR, we’ll receive a server key. The server key is uploaded to our environment, then send the user the CSR.
Then the user will use the CSR to generate the Intermediate Certificate and finally the Domain Certificate. The Intermediate Certificate is used with the provisioning company to ensure they’re verified to issue the SSL certificate to Reclaim and to the user. These are then sent back to Reclaim to upload to the environment.
Once all 3 items are in place, we can issue the SSL certificate for the environment. We did run into the issue where we needed to reissue the Let’s Encrypt plugin to cover the main URL on the WPMS from there.
If you’re working with a WordPress multisite on Reclaim Cloud, you’ll want to pay attention to the type of Multisite you’re working with. Is this a subdirectory (domainname.com/subdirectory) or a subdomain (subsite.domainname.com) WordPress install?
If you’re working with a subdirectory Multisite, then you can follow the steps listed above with no problem! The SSL certificate will cover all URLs that fall under the main domainname.com portion.
For a subdomain WordPress Multisite installation, you’ll still want to complete the steps listed above, but you’ll want to take note of the URLs listed above as you’ll need to add those to the Let’s Encrypt add-on to ensure they’re covered.
If the multisite is a large instance, you’ll want to opt for a Wildcard SSL certificate. This will cover all subdomains created within the multisite. You’ll need to purchase this with a third party, then follow the Custom SSL steps listed above.
There is an additional step you’ll need to do within your environment, however. The custom SSL steps will upload the necessary files within the server, but in order for them to take hold, you will need to ensure that the configuration files are set to locate the particular certificate.
It should look something like this:
Once those configuration files are set, you’ll want to add the Let’s Encrypt SSL certificate to the main URL and you’re good to go!
Typically SSL certificates can last 3 months when working with Let’s Encrypt, or 1 year+ when working with another company. Let’s Encrypt renews automatically while the third party certificate will need to be updated manually.