Alias Domain - Letsencrypt Limit and widlcard cert interactions

Discussion in 'Installation/Configuration' started by cjsdfw, Apr 29, 2020.

  1. cjsdfw

    cjsdfw Member

    Hi everyone,
    I am getting ready to deploy a Wordpress Multi-site in my newly configured ISPConfig managed multiserver setup and before doing so I wanted to ask about Alias Domain limits (kind-off). The question is not Wordpress related.

    Based on what I read in the this ISPConfig Post #10, I should make use of Alias Domain for mapping domains of the Wordpress Multisite setup and indeed it seems like the way to go as my concern was the SSL certificates needed for the Mapped Domain. The Alias Domain adds the Domain Name to the main site SSL certificate. Beautiful, great work ISPConfig!

    So I have a couple of questions related to this process:
    1. What is the limit in the number of alias domains that I can create and still get the domain name added to the main certificate?
    2. Is it possible to setup a Letsencrypt wild card certificate for the main domain and still get ISPConfig Alias Domain functionality to work with it?
    The reason for #2 question arises from the fact that my Multisite setup generates subdomain sites dynamically at user request. Since I do not know when a Multisite site site will be created, I need to setup wildcard domain for the site.

    I have not setup the Multi-site in my server yet and I do understand that Letseencrypt wildcard certificate requires an interactive validation with the DNS. In may case I use VULTR VPS and there is a DNS API to interact with and get the validation done: have not done it yet. My question is not how to do this but rather if I have a wildcard certificate already installed for the main site will the "Alias Domain" functionality of ISPConfig alter the wildcard certificate properly to add the mapped domain site to it?

    Any pointers will be be greatly appreciated. I wanted to ask before setting up Multi-site to avoid miss-configurations from the start if possible.
    Thanks in advance
    Last edited: Apr 29, 2020
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

  3. cjsdfw

    cjsdfw Member

    Hi Ahrasis
    Thanks for replying to my question. Your posting on wildcard certs is way over my head but quite illustrating, thanks.
    I kept thinking about my needs and perhaps there is a work-around, if you could comment I would appreciate your thoughts.

    There are two ways to setup Wordpress Multi-site:
    1) Use sub-domains for dynamically created sites.
    2) Use sub-directories for dynamically created sites.

    If I go for option (2):
    I do not need the wild card certificate as the main site (network) certificate will work for all the dynamically generated sites. I can then use ISPConfig Alias Domain to add the mapped domains to the main certificate for those sites which opt for Mapped Domains.
    Mapped domains are not dynamically set in WordPress so I can handle them manually in ISPConfig as required.
    What I don't like of this option is that the resulting Site URL is less appealing, ie: mynetwork.tld/Site_Directory versus Site_Directory/mynetwork.tld.

    If I go for option (1), which is my preferred way to setup Multi-site, I run into the wild card certificate having to be re-issued after adding a new Alias Domain. I would like to avoid having to re-issue the wildcard certificate every time a domain is mapped.

    So here the envisioned scenario and my question:
    If I go for option(1) and manually setup the wildcard cert using a DNS plugin the cert will be renewed automatically by the CRON Job. The only issue is adding the Alias Domain will upset the main site certificate.

    The question is: Is there a way to "Park a Domain" in ISPConfig?
    What I mean my "Park a Domain" is create a vhost conf file where a new individual certificate gets created for the vhost but the root directory in the vhost file is pointed to the root directory of the network site. From what I read elsewhere that would be the way to "Park a Domain" manually in Apache.

    Perhaps the answer might be to create a new site for the Mapped Domain and then manually edit its vhost file to change the root directory location, ie, pointed to the network root?

    Again your thoughts would be greatly appreciated.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Does your WordPress site have more than 100 subdomains + aliasdomains? If not, then there is no wildcard cert needed. All you have to do is to add the new subdomains that you add in WordPress as subdomains in ISPConfig too, ISPConfig takes care to add the domains to the LE SSL cert automatically. The same for alias domains, just add them as alias domain in ISPConfig when you add them in WordPress, ISPConfig takes care that the alias domain gets added to the site cert automatically.

    just create a website with domain name 000default.tld in ISPConfig and then just point all parked domains in dns to the IP of your server. All of them will end up in the default site.
  5. cjsdfw

    cjsdfw Member

    Hi Till,
    Thanks for replying.
    The Wordpress multisite does not have 100 subdomains yet but I am hopping it will in time. The reason I don't go with this approach is that the sites are dynamically created in Multisite, meaning I do not intervene in the process. Only if they want to map a domain to their site I will manually intervene.

    I much rather create a wildcard cert for the network (the main domain) and handle mapped domain certificatea individually. This way I will not run into Letsencrypt 100 domains limit issue. The wildcard will handle any number of subdomains and best I can figure there is no practical limit to the individual certs requested: perhaps there is an account limit, I don't know.

    This approach sounds more like the way I would like to proceed but I am not sure I understand what to do. I do have a 000-default.conf file in my /etc/apache2/sites-available directory, is this the one I need to edit? Change DocumentRoot /var/www/html ? I think that will change the Document Root for all sites though. Do you mean a different way?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Login to ISPConfig, click on new website, enter this exact value into the domain field "000default.tld" and press save. That's all, no manual editing. The content that shall be shown to the domains gets uploaded to the website directory of this website as usual.
  7. cjsdfw

    cjsdfw Member

    Hi Till,
    I did just as indicated. Since I already had a non-ISPConfig hosted domain pointed to the web server ip, I went ahead and access it from a browser: I get the default unsecured page of my web server, so I am not sure what the above does. I would have gotten the same page without adding the "000default.tld" site in SIPConfig, I think.

    What I trying to achieve by "Park Domain" is be able to create a new site in ISPConfig, request an individual site LE certificate for it and then point the new site's DocumentRoot to the network DocumentRoot location. This way the new site will have a LE certificate generated. Is this doable or do I have a misconception in what I am trying to do? I an no expert so it may not be doable.
    Thanks again.
  8. cjsdfw

    cjsdfw Member

    I just try doing this and I get an ERROR -403 -Forbidden! You are not permitted to access the requested URL.
    SO maybe I need to do something else besides changing the DocumentRoot?
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    My advise is don't add more domain to a vhost because I think if one failed then all will doom to fail.

    I think the best is to use alias domain with vhost option when creating the new domain website for your WPMU to solve your LE SSL problems as each site shall have their own vhost and certs.
  10. cjsdfw

    cjsdfw Member

    Hi ahrasis,
    What do you mean Alias Domain with vhost option?
    I spent all day yesterday playing with options but could not get any to work:
    • Alias domain in ISPConfig just creates a ServerAlias entry in the main domain conf file and adds the alias name to the LE cert. Hence I will run into the 100 limit.
    • Subdomain does not map a domain, just creates a new site as a subdomain of the original domain.
    • Domain,or new website, I was not able to create a forward rule and keep the original cert.
    I used to host my system in VOS with Cpanel and I used Addon domains to do it. I was able to create an independent SSK cert for the addon domain which was then forwarded to the main domain. I have read much as to how Cpanel handles Addon domains but can not figure how to duplicate in Aoache/Ispconfig.
  11. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    in ispconfig - system - main config are two options for create subdomain/aliasdomain as a web site, if you tick these, then on the sites tab you get more options, as well as 'subdomain for website' and 'aliasdomain for website' there'll also be 'subdomain (vhost)' and 'aliasdomain (vhost), if you use these, you can create a site, within the parent site's folder structure, using the same or an alternative domain name, and it's own root location, eg /web2 alonside web, /web using the same folder, or /web/domain2, using a subfolder on the main site.
    the main point for you though, is that these subdomains/aliasdomains have their own vhost configuration, and their own certificates.
    cjsdfw likes this.
  12. cjsdfw

    cjsdfw Member

    Thanks nhybgtvfr, I see the flags. I will check them out, looks encouraging option.

Share This Page