<div dir="ltr">Hi all,<div><br></div><div>With some help from Brandon, I've changed deployment-prep to use Let's Encrypt instead of the self-signed cert I added last year (to get HTTPS working - albeit improperly-signed - instead of nothing, and nginx/puppet working on the Varnish instances again).</div><div>It should now behave much more like production - TLS redirects are enabled in Varnish, and you shouldn't have to ignore cert warnings to use it now.</div><div>Details for HTTPS in deployment-prep are spread out over various tickets, but the main one now is <a href="https://phabricator.wikimedia.org/T50501">https://phabricator.wikimedia.org/T50501</a></div><div>The puppetisation still needs some work, but it's cherry-picked on deployment-puppetmaster and seems to be working reliably.</div><div><br></div><div>Pages with images may need to be null-edited to make MediaWiki generate HTTPS URLs for them so browsers don't block the images.</div><div>Please let me know if you find any <a href="http://beta.wmflabs.org">beta.wmflabs.org</a> domains that aren't covered by the cert or aren't redirecting HTTP to HTTPS in Varnish.</div><div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Alex Monk</div></div></div>
</div></div>