How to Install Free SSL Certificates on a WordPress Multisite with Multiple Domains

Categories
Tags
A WordPress Multisite is a fantastic way to manage multiple websites, using the world’s favourite content management system (CMS). However, having one root directory for all of your sites can cause a few headaches when trying to install SSL certificates for each domain on your multisite setup. This article aims to help you do just that.

Background

Originally, I had free SSL certificates setup for the multiple sites across my WordPress Multisite, which was setup by my hosting provider’s support team at Tsohost. They’ve since migrated me to one of their new cPanel plans and when I asked about the free LetsEncrypt SSL setup that I’d lost due to the migration, they told me that the new plan does “not have integrated AutoSSL/Let’s Encrypt”. When I asked if the LetsEncrypt plugin could be added to my control panel they said “we can not provide any guidelines on installing a third party SSL” and that “the DNS Zone at the cPanel (zone editor tool) can not be used so far”. They also tried to sell me numerous pay-for alternatives and increased the cost of my hosting by around £30 a year. Long term I could move to a new hosting provider that does offer this, but short term, I needed a quick fix.

This guide assumes that your WordPress Multisite is already setup, that the sites in question are already up and running (so just require an SSL certificate), and you’re using cPanel (the most popular web hosting control panel).

If you’re using sub domain addressing (e.g. dragoncode.co.uk and newsite.dragoncode.co.uk), you’ll only need the one SSL certificate, installed for that one domain (dragoncode.co.uk). If using multiple domains for multiple sites, you’ll need a certificate per domain (e.g. dragoncode.co.uk and pointandshooter.co.uk).

Steps

  1. Add Domain in cPanel
  2. Email Account for Validation
  3. Generate a Free SSL Certificate
  4. Install Certificate
  5. Handle Mixed Content Issues

  1. Add Domain in cPanel

    If not already done, create a domain for your child site in cPanel using ‘Addon Domain’ (under Domains). These should all point to the same document root (with dragoncode.co.uk being the parent site in this example), similar to below, but changing the details to match your sites/setup:

    New Domain Name
    managerdiary.co.uk

    Subdomain
    addon-managerdiary-co-uk

    Document Root
    additional_domains/dragoncode.co.uk/public_html

    Each addon domain creates a separate virtual host. To serve SSL encrypted content, cPanel creates a new virtual host that mirrors the non SSL virtual host. This new virtual host adds the necessary configuration parameters for your SSL certificates.

  2. Email Account for Validation

    Make sure you have an email account setup for the domain name (e.g. admin@managerdiary.co.uk for this example). This could be a simple forwarder. You’ll need to be able to access the emails from this account in the next step. The email address must be on this domain to pass the validation process of your certificate.

  3. Generate a Free SSL Certificate

    Go to the SSL For Free website and click ‘new certificate’. Type in your new domain name and click ‘next step’ (an alternative is the Free SSL Certificate Generator by PunchSalad or SslForWeb – free but requires and account):

    Choose ’90 day certificate’ and click ‘next step’:

    You’ll be asked if you want to auto-generate contact information and a CSR for your certificate – leave this enabled and click ‘next step’.

    Double check that ‘free’ is selected from the options and again, click ‘next step’.

    Next, you’ll be asked to provide an email address to validate the certificate. Enter the one you created in the previous step and continue. Follow the instructions in the email to validate the certificate.

    Once validated, download the zip file containing your certificate files.

  4. Install Certificate

    In cPanel, go to ‘SSL/TLS’ under ‘security’ and click ‘manage SSL sites’.

    Scroll down to the options shown below and choose your domain, then open your certificate files in your favourite text editor (e.g. Notepad ++) and paste their contents in to the appropriate fields, then click ‘install certificate’.

    If successful, you’ll now have an active SSL certificate for the next 90 days. Repeat this process just before the 90 days are up to ensure SSL encryption remains active on your site.

  5. Handle Mixed Content Issues

    In WordPress, install and activate the Really Simple SSL plugin (you can either network activate this or activate it individually per site as you add SSL). In the settings make sure ‘mixed content fixer’ is toggled on. This will ensure that any http links are redirected to https.

    In Network Admin > Sites in the backend of your WordPress Multisite, ensure the site in question is using https for its site address. Amend if not.

    E.g. https://managerdiary.co.uk/

Next Steps

The method above is aimed at novices/beginners, which requires you to manually renew certificates as and when needed. To make this process more efficient, we’d want the SSL certificate process to become more automated; with the certificates auto-renewing by themselves. I’ll aim to add these steps in a future post.

If you found this useful, have suggestions on how it could be improved or extended for auto-renewals, or simply want to offer some helpful additional thoughts, please do feel free to add these in the comments below.

Comments

Whether you have feedback, a question, want to share your opinion, or simply want to say thank you - we welcome comments! Please read the disclaimer.

Disclaimer and Legal Information

The use of any content found on or via this website (code, how to guides etc.) is done so at your own risk. We take no responsibility for any issues encountered.

This blog and its authors will not be held responsible for any misuse, reuse, recycled and cited/uncited copies of content from this website by others.

The views and opinions expressed in this blog are those of the author(s) and do not necessarily reflect the position or opinion of any other agency, organisation, employer or company.

Comments are moderated but we do not take any responsibility for any libel or litigation that results from something written in a comment. We reserve the right to reject or delete any comment for any reason whatsoever (abusive, profane, rude etc). Please keep your comments polite and relevant.

We are happy for you to quote and share our content in any reasonable manner, e.g. post links to our blogs on social media, but not in any way that suggests that we, or our authors, endorse you, your use or your views. Nothing negative please.

We appreciate attributions, e.g. a link to our website (www.dragoncode.co.uk).

Thank you – we hope you find the website useful.