Ok assuming you have the following stack of providers:

1. Namecheap for registration of your domain name of new.com
2. Digital Ocean for running your droplet with the WordPress installation at host.com
3. Digital Ocean for the DNS service for new.com and for www.new.com. Go to the control panel and go to Network/Manage and then make the A record point to the static IP of the host.com and then create a CNAME for www.host.com that points to host.com by creating a CNAME that points www to @

Then this is how you configure things to work with SSL and everything else loaded:

1. Go to Namecheap and point new.com DNS to ns1.digitalocean.com and ns2.digitalocean.com
2. At Digital Ocean, find the Network section and add the domain new.com and make the A record point to the droplet running host.com
3. Now in host.com/wp-admin, you need to add a New Site and give it the url https://new.com this will configure the web server properly
4. At this point you should have non-SSL access to your site and you should be able to browse to http://new.com and see something

Ok so now what to do, this is pretty unintuitive, you need ssh access to the droplet, so ssh root@host.com and then run:

1. First you need a configuration file for it, in Apache speak this is called adding a virtual host, these live in /etc/apache2/sites-available and there should be a prototype there. It's pretty obvious what to do, but basically the file looks like this, but you replace the new.com with whatever the name of your site is and leave it something named like 00n-new.com.conf and what it is doing is to declare two alias for new.com and www.new.com and then the rewrite rules ensure you get the proper name no matter how they the requests come in.
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On

<VirtualHost *:80>

ServerName new.com
ServerAlias www.new.com

DocumentRoot /var/www/html

<Directory /var/www/html/>
AllowOverride All
Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =new.com [OR]
RewriteCond %{SERVER_NAME} =www.new.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Then you need to enable this configuration with the command a2ensite 00n-new.com.conf which turns it all on and then restart apache with systemctl reload apache2

Finally, you want to save all these files in a GitHub repo somewhere for the day when you lose your configuration.

Now the next step is to get the SSL certificates and create the correct SSL configurations automagically:

1. certbot is the system that connects to let’s encrypt it will detect that you have this site, if there are multiples, it will ask you about both new.com and www.new.com. If you did the work above correctly, the new.com and www.new.com should appear automatically in the list. If you just hit enter, it will check everything and add certificates it doesn't find which is great. It is also smart, if you have an existing certificate for your site, it will "expand" the names recognized as needed.
2. It will ask you if you want to always use SSL which you do. And make sure to say YES for redirecting insecure to HTTPS.

Once this is done, it automatically gives you a free SSL certificate and will renew that certificate every month or so.

## WordPress Configuration

Now that you have this setup, you need to go to the Multisite WordPress Installation and create a subsite:

1. Go to the network administrator for the "main site" so for instance if it is at host.com, go to https://host.com/wp-admin. Then you want to choose My Sites > Network of Sites > Admin > Add New Site.
2. The confusing this is that it will force you to create a subdomain of the main site, so you need to make sure this is a unique name like new-com.host.com and then when you have added then, you go back to Edit site and change the name to https://new.com and because of the virtual host stuff, it all just works.
3. Make sure to use the https prefix as the default is http so you get the SSL security.
4. Now add users, because this is a multisite, you can add "global" users from the main site or each site can have their unique users. There will be a default admin account created and for my own personal sites, I like to leave my own super admin account.
5. Finally, you can go to https://new.com/wp-admin and start the setup of your new domain!
6. You have the choice of a bunch of default themes, but if you have a Personal or Business theme, try Astra for instance.

Once this is done, you need to get the basic WordPress running:

1. Connect with JetPack to WordPress and turn on the anti-spam.
2. Do a quick edit on your site to make it look decent and you are done for now! Walk through the checklist means making sure you have the basics of anti-spam and other configuration loaded.
3. If you are using Astra, you need to go to the section called Appearance > Starter Templates and pick a nice one. Sierra Industry is a good example of one for a company. Or Entrepreneur if this is a personal site. It imports a complete site with graphics, so it's really easy to just make changes and you look professional 🙂

## Gsuite Configuration

Now the next step is getting mail working. Assuming that you are using gsuite, this is pretty simple:

1. The big trick is that you go to gsuite.com and make sure you say add “Add-on” domain and not a domain alias. A domain alias is for those cases where you change the name of your company and you want everyone to go from rich@old.com to rich@new.com
2. In this case, if you just want to add a few names and control them so add-on is appropriate. So the steps are to then verify you controls the domain. Some have direct oauth, but if not, then the easiest way is to add a new TXT record with a GUID that google will give you.
3. Then you have to wait up to seven days for the record to propagate. This has been as fast as five minutes and as long as 12 hours for me.
4. Once this is done, then you can go back to Digital Ocean and then choose add MX record, there is actually a button to add Google MX records because it is so common.
5. At this point you are routing mail too, but it will take time for the records to propagate. Use https://Mxlookup.com to see when this happens

Borking WordPress.com is one problem. I did this when I skipped the certbot step and then wordpress.com is completely confused to fix this:

1. Deactivate Jetpack at the network levels and uninstall
2. reinstall at the network level and enable all network level things