[wp-hackers] SSL Domain Mapping with WP Multisite

Brian Layman wp-hackers at thecodecave.com
Mon Jun 4 14:55:06 UTC 2012


Here's the issue: in order to have completely secure communication, 
Apache only uses the IP address/port of inbound communication to 
identify the traffic destination and send the correct certificate and 
begin encryption.

So if you are hosting multiple sites on the same IP address, Apache 
won't know which certificate to send.  Apache will do the only thing it 
can and send the first/default certificate for that IP in order to try 
to be secure.  If you have dozens of sites, chances are the 
communication isn't for the first vhost you have configured and so the 
certificate will be wrong.

However once you understand what it is doing, it allows you to get 
around the problem and serve multiple secure domains using vhost.  What 
you MUST do is configure your certificate to validate for all of the 
domains (straight domain and www or *) that will be served under that IP 
address.  You can configure a certificate for any number of sites, but 
I've been told to limit it to a couple dozen to be practical - you never 
know how the client/browser will handle a large number of sites in a 
certificate.

If you have more than a couple dozen sites, then serve the remaining 
sites under a different IP address with another certificate for the next 
dozen or two sites.  Creating this many certificates could become 
expensive, so I recommend that you get certified through StartSSL.com 
and become your own notary in order to issue your own certificates, as I 
have.

Apache will yell at you that you've configured your sites incorrectly, 
in most cases that would be true. It's unusual for a certificate to span 
multiple sites and a new release of Apache could change this behaviour.  
However: Yes, I have done it and that's how I did it.

Brian Layman


On 6/4/2012 9:40 AM, SWORD Studios wrote:
> I'm looking to host a couple hundred sites on a WordPress Multisite
> Network.  Each site will have it's own mapped domain.  I've done all this
> many many times.
>
> My new issue is that about a dozen of these sites need SSL to be compliant
> (with their industry manufacturers).  I'm having some real issues
> accomplishing https://domain.com as a mapped domain to these sites.
>   Everything I've read (some links below) makes it seem possible as long as
> you are using SNI or a WildCard SSL to support multiple ssl's on the same
> IP.
>
> I'm looking for a real solution to this problem.  I've spent hours reading
> many forum posts, articles, tutorials and everything seems to be
> theoretical.  I have yet to see anyone actual say "Yes I've done this and
> this is how I did it."   Has anyone actually accomplished this task?    If
> not can anyone provide me with instructions on how to move forward.
>
> Thank you in advance for any help.
>
> http://wordpress.org/support/topic/plugin-wordpress-mu-domain-mapping-ssl-and-mapped-domain
>
> http://wordpress.org/support/topic/plugin-wordpress-mu-domain-mapping-ssl-with-mapped-domain
>
> http://lists.automattic.com/pipermail/wp-hackers/2011-August/040649.html
>
> Jesse
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list