Hi all,
With some help from Brandon, I've changed deployment-prep to use Let's Encrypt instead of the self-signed cert I added last year (to get HTTPS working - albeit improperly-signed - instead of nothing, and nginx/puppet working on the Varnish instances again). It should now behave much more like production - TLS redirects are enabled in Varnish, and you shouldn't have to ignore cert warnings to use it now. Details for HTTPS in deployment-prep are spread out over various tickets, but the main one now is https://phabricator.wikimedia.org/T50501 The puppetisation still needs some work, but it's cherry-picked on deployment-puppetmaster and seems to be working reliably.
Pages with images may need to be null-edited to make MediaWiki generate HTTPS URLs for them so browsers don't block the images. Please let me know if you find any beta.wmflabs.org domains that aren't covered by the cert or aren't redirecting HTTP to HTTPS in Varnish.
Thank you for your work on this Alex and Brandon.
-Sam
On Tue, Aug 2, 2016 at 11:51 AM, Alex Monk alex@wikimedia.org wrote:
Hi all,
With some help from Brandon, I've changed deployment-prep to use Let's Encrypt instead of the self-signed cert I added last year (to get HTTPS working - albeit improperly-signed - instead of nothing, and nginx/puppet working on the Varnish instances again). It should now behave much more like production - TLS redirects are enabled in Varnish, and you shouldn't have to ignore cert warnings to use it now. Details for HTTPS in deployment-prep are spread out over various tickets, but the main one now is https://phabricator.wikimedia.org/T50501 The puppetisation still needs some work, but it's cherry-picked on deployment-puppetmaster and seems to be working reliably.
Pages with images may need to be null-edited to make MediaWiki generate HTTPS URLs for them so browsers don't block the images. Please let me know if you find any beta.wmflabs.org domains that aren't covered by the cert or aren't redirecting HTTP to HTTPS in Varnish.
-- Alex Monk
Ops mailing list Ops@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/ops
On Tue, Aug 2, 2016 at 3:51 AM, Alex Monk alex@wikimedia.org wrote:
Hi all,
With some help from Brandon, I've changed deployment-prep to use Let's Encrypt instead of the self-signed cert I added last year (to get HTTPS working - albeit improperly-signed - instead of nothing, and nginx/puppet working on the Varnish instances again). It should now behave much more like production - TLS redirects are enabled in Varnish, and you shouldn't have to ignore cert warnings to use it now. Details for HTTPS in deployment-prep are spread out over various tickets, but the main one now is https://phabricator.wikimedia.org/T50501 The puppetisation still needs some work, but it's cherry-picked on deployment-puppetmaster and seems to be working reliably.
Pages with images may need to be null-edited to make MediaWiki generate HTTPS URLs for them so browsers don't block the images. Please let me know if you find any beta.wmflabs.org domains that aren't covered by the cert or aren't redirecting HTTP to HTTPS in Varnish.
This is really cool and another recent example of Alex grinding out the steps to close a long standing feature wish for the beta cluster. Thanks!
Bryan
<quote name="Bryan Davis" date="2016-08-02" time="09:16:33 -0700">
On Tue, Aug 2, 2016 at 3:51 AM, Alex Monk alex@wikimedia.org wrote:
Hi all,
With some help from Brandon, I've changed deployment-prep to use Let's Encrypt instead of the self-signed cert I added last year (to get HTTPS working - albeit improperly-signed - instead of nothing, and nginx/puppet working on the Varnish instances again). It should now behave much more like production - TLS redirects are enabled in Varnish, and you shouldn't have to ignore cert warnings to use it now. Details for HTTPS in deployment-prep are spread out over various tickets, but the main one now is https://phabricator.wikimedia.org/T50501 The puppetisation still needs some work, but it's cherry-picked on deployment-puppetmaster and seems to be working reliably.
Pages with images may need to be null-edited to make MediaWiki generate HTTPS URLs for them so browsers don't block the images. Please let me know if you find any beta.wmflabs.org domains that aren't covered by the cert or aren't redirecting HTTP to HTTPS in Varnish.
This is really cool and another recent example of Alex grinding out the steps to close a long standing feature wish for the beta cluster. Thanks!
+1, thanks Krenair
wikitech-l@lists.wikimedia.org