The answer, in short:
The question: Could I use WP Engine’s free Let’s Encrypt SSL on the CDN using a custom domain if the CDN is provided by WP Engine?
The answer: Nope, because even though WP Engine provides a CDN, the CDN is actually offered and maintained by a 3rd party provider, which means it’s not in their ecosystem and, therefore, they can’t / won’t provide an SSL unless to go with their elongated internal link (which, for SEO reasons, is a bad idea to use). In fact, both the Let’s Encrypt and RapidSSL are not available on SSLs for custom domain CDNs.
Well, shit. A wildcard SSL seems like overkill on 3 and 4 domain environments, but so it goes.
Looks like I’m going to SSLs.com to get one of the discounted Commodo wildcard SSLs at a discounted over 3 years and manually do the install the 3rd party certificate.
The process I took to get there:
My sites are sorely overdue for SSLs. WP Engine offers a free SSL called, “Let’s Encrypt,” and a pay-level one from RapidSSL that offers a higher level of protection. Since the sites don’t do ecommerce, I was hoping the Let’s Encrypt could be used on the domains and their CDNs. That would save quite a bit of coin per year.
While WP Engine has a nice upload to automatically do the Let’s Encrypt & RapidSSL installation, upon reading their instructions I became confused as to whether or not the free Let’s Encrypt SSL covered the CDN link in their SSL instruction upload page, they say the following regarding boty the Let’s Encrypt SSL & RapidSSL:
“Does not work for custom CDN domains.”
This means I was going to have to go with a WildCard SSL for me and for those small business clients who have the CDN? OR did it?
I know, I know: “What? Not all your sites are on CDNs?”
I know. Shut up. Sometimes, there’s only so much you can do with the budget provided. You get forced to make decisions that, while doesn’t allow them to outrun the bear, it gives them a chance to outrun their competition.
I was hoping the custom CDN domains restriction was in reference to the using a 3rd party CDN provider – aka CloudFront or JetPack or … – instead of the one WP Engine offers. In all theory, if a provider provides a CDN, they should be able to do a multiple domain SSLs or offer more than one certificate and be okay – provided the CDN links don’t throw warning flags.
The conversation I had with WP Engine 24/7 support
Note: I added slight edits to preserve tech anonymity (not that he needed it. He was awesome. I just didn’t ask permission to use his name) and to clean up the inevitable grammar and spelling errors that happen in chat:
[WP Engine:] Support Agent.
[WP Engine:] You are now connected with a WP Engine technician.
Hey, thank you for contacting Engine support!
[Me:] Hi. I have SSL Questions before I make a decisions:
Setup: I have a WordPress multisite running two subdomains (www.natfinn.com, workwith.natfinn.com.), and a CDN that works for both (tuner.natfinn.com.).
The naked domain, natfinn.com, redirects to www.natfinn.com.
Domain provider: Google Domains.
I do NOT do any ecommerce at this time.
Question #1: Can I set up 3 Let’s Encrypt SSLs for the site, or do I need to go with a WildCard SSL?
Question #2: If I get to go with the Let’s Encrypt SSLs, will there be any security warnings thrown when assets load from the CDN location?
[WP Engine:] You can use Let’s Encrypt for any domain hosted with us that is pointed to us. You can not use it for the CDN url tuner.natfinn.com . It will need its own SSL either from [RapidSSL] from us or any other 3[rd] party SSL provider. The CDN location can be encrypted as well so it does not give security warnings but needs a SSL that is not Let’s Encrypt.
If you get a wildcard SSL that will secure all subdomains as well.
[Me:] CDN: even if the CDN is hosted by WP Engine?
[WP Engine:] If you use the default CDN URL it has its own SSL to encrypt with. If you use a custom CDN url you will need a SSL purchased for it so we can install it on our CDN providers side.
[Me:] Okay. Yeah, that was my confusion. The site kept saying, “custom CDN,” but didn’t specify if “custom” meant “hosted by someone not WP Engine” or “custom” included a custom URL. So even though y’all host the CDN, I still can’t use the Let’s Encrypt Option?
because it’s a custom [CDN URL].
[WP Engine:] Correct, Let’s Encrypt will not work for a custom CDN url tuner.natfinn.com because the domain is not pointed to us and it will unencrypt soon.
[Me:] If I didn’t point that CDN to WP Engine, and yet WP Engine hosts it, where did I point it to?
[WP Engine:] For a custom CDN url it will be pointed to our CDN providers CDN url the default one that you would normally use.
[Me:] so the CDN is third party[.]
[WP Engine:] 3rd party provider[,] yes, the same with the SSLs we provide. We as a company set up and provide a platform service that links together with 3rd party providers.
[Me:] okay. That’s all I needed to know. Thank you!
[WP Engine:] Glad to help, you take care and have a good one.
Mr. Smith says
If you’re not allowed to use free certificate on your custom domain and If you have limited number of domains/sub-domains to secure e.g. natfinn.com, workwith.natfinn.com and tuner.natfinn.com; you can better go with three single-domain certificates. But if you have any plan to add more sub-domains in-future then you can definitely go with Wildcard certificate.
Typically, I would. But in the case of WP Engine, neither of their single domain SSL offerings – the free (Let’s Encrypt) or the paid (RapidSSL) – work on the custom domain CDNs: “Does not work for custom CDN domains.” It’s a WP Engine thing, I’m told, because of how their third-party CDN is configured.
So, in the realms of the WP Engine environment, I’m stuck with using their internal CDN links – which would then tell search engines that the guts of my site are sitting on a different domain – or I have to go with the WildCard.