[QA] [Ops] deployment-prep using valid certs for HTTPS

Greg Grossmeier greg at wikimedia.org
Tue Aug 2 16:23:21 UTC 2016


<quote name="Bryan Davis" date="2016-08-02" time="09:16:33 -0700">
> On Tue, Aug 2, 2016 at 3:51 AM, Alex Monk <alex at wikimedia.org> wrote:
> > Hi all,
> >
> > With some help from Brandon, I've changed deployment-prep to use Let's
> > Encrypt instead of the self-signed cert I added last year (to get HTTPS
> > working - albeit improperly-signed - instead of nothing, and nginx/puppet
> > working on the Varnish instances again).
> > It should now behave much more like production - TLS redirects are enabled
> > in Varnish, and you shouldn't have to ignore cert warnings to use it now.
> > Details for HTTPS in deployment-prep are spread out over various tickets,
> > but the main one now is https://phabricator.wikimedia.org/T50501
> > The puppetisation still needs some work, but it's cherry-picked on
> > deployment-puppetmaster and seems to be working reliably.
> >
> > Pages with images may need to be null-edited to make MediaWiki generate
> > HTTPS URLs for them so browsers don't block the images.
> > Please let me know if you find any beta.wmflabs.org domains that aren't
> > covered by the cert or aren't redirecting HTTP to HTTPS in Varnish.
> 
> This is really cool and another recent example of Alex grinding out
> the steps to close a long standing feature wish for the beta cluster.
> Thanks!

+1, thanks Krenair

-- 
| Greg Grossmeier            GPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @greg                A18D 1138 8E47 FAC8 1C7D |



More information about the QA mailing list