Support » Networking WordPress » SSL and multisite subdomains

  • I am setting up a multisite (network) using subdomains. I own an SSL certificate that is valid for a single site. I really just want my SSL to be valid for login (although admin might be nice). I have played around with Administration Over SSL. When I try to log in at example.com, I’m redirected to https://example.com/wp-login.php. This is good. However when I try to log in from subdomain.example.com, I am redirected to https://subdomain.example.com/wp-login.php. Is there any way for me to have WP only log me in/out at https://example.com/wp-login.php regardless of where I’m starting from. I don’t want to have to purchase a wildcard SSL certificate just to be able to log in and out. However the login/logout links seem subdomain dependent. Is there any way to fix this? Or is there any other way to enable single-domain SSL on a subdomain-type WP multisite installation?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    That’s kind of how basic SSL certs work, I’m afraid :/

    There are ways around it, but you’ll have to study up on SSL. It’s a problem outside of WP, as I have it on other accounts too.

    I guess that’s kind of my question. I think I would like to force everyone to log in at https://example.com/wp-login.php (regardless of what subdomain they’re starting from) and not have WP send them to https://subdomain.example.com/wp-login.php. Every user can log in at any wp-login.php screen on the site, so I don’t quite see the point of having WP specify the subdomain in the URL. I feel like this is probably possible using mod_rewrite or possibly a simple plug-in, but I haven’t been able to find anything.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    You can’t do that quite how you’re thinking. I mean, you can do an .htaccess redirect for it, but that won’t solve the problem, since the admin sections for each site are per subdomain.

    If you did subfolders instead of subdomains, you’d be fine, but servers treat subdomains as separate domains, basically :/ at least on a security level

    Wouldn’t it work for the login screen itself though? Although admin pages over SSL would be nice, I’m really only concerned about logging in (i.e. FORCE_SSL_LOGIN not FORCE_SSL_ADMIN). And I can log in at https://example.com/wp-login.php with my subdomain user’s credentials. After that, WP can push the user to non-SSL admin pages under any subdomain it wants, and I don’t really care too much.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    Then you can try it. It may work. But yes, if you login at the main domain, you will be logged in for ALL subdomains, so try redirecting the WP-login page via .htaccess.

    For anyone who finds this in the future, I finally did get it set up. It looks like if you define FORCE_SSL_LOGIN in wp-config.php it will work, even on a multisite (network). Although you are prompted to log in and out at http://subdomain.example.com/wp-login.php, if you view the source the login form is submitted to https://example.com/wp-login.php via SSL connection. There is no need for htaccess redirects and all that. WordPress does it all perfectly behind the scenes. Thanks WP. It’ll teach me to think twice about trying to solve a problem before I know I have one 🙂

    And also, FORCE_SSL_ADMIN would be nice, but I don’t want to pay that much for a Wildcard Subdomain SSL certificate. I never did try doing htaccess redirects for it, but I don’t think it would work. If you enable FORCE_SSL_ADMIN with a single-site SSL certificate, you’ll get SSL errors when viewing https://subdomain.example.com/wp-admin/

    Right… took me a day to figure it out, too – If you’re using a subdomain install, the respective dashboards for all of the WP sites are being served by the one instance of WP. The other subdomains (i.e. https://sub1.main.com/wp-admin) will also work – BUT your browser will first complain that the cert is for the wrong site. I just made an exception so that my browser will save that exception and continue on… Of course this is not very elegant if you’re a WP hoster, but if it’s just for your own sites, it works just fine. I’m running an instance like how I’ve mentioned.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘SSL and multisite subdomains’ is closed to new replies.