Re: [Wikitech-l] [Ops] deployment-prep using valid certs for HTTPS
On Tue, Aug 2, 2016 at 3:51 AM, Alex Monkwrote: > Hi all, > > With some help from Brandon, I've changed deployment-prep to use Let's > Encrypt instead of the self-signed cert I added last year (to get HTTPS > working - albeit improperly-signed - instead of nothing, and nginx/puppet > working on the Varnish instances again). > It should now behave much more like production - TLS redirects are enabled > in Varnish, and you shouldn't have to ignore cert warnings to use it now. > Details for HTTPS in deployment-prep are spread out over various tickets, > but the main one now is https://phabricator.wikimedia.org/T50501 > The puppetisation still needs some work, but it's cherry-picked on > deployment-puppetmaster and seems to be working reliably. > > Pages with images may need to be null-edited to make MediaWiki generate > HTTPS URLs for them so browsers don't block the images. > Please let me know if you find any beta.wmflabs.org domains that aren't > covered by the cert or aren't redirecting HTTP to HTTPS in Varnish. This is really cool and another recent example of Alex grinding out the steps to close a long standing feature wish for the beta cluster. Thanks! Bryan -- Bryan Davis Wikimedia Foundation [[m:User:BDavis_(WMF)]] Sr Software EngineerBoise, ID USA irc: bd808v:415.839.6885 x6855 ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] [Ops] deployment-prep using valid certs for HTTPS
Thank you for your work on this Alex and Brandon. -Sam On Tue, Aug 2, 2016 at 11:51 AM, Alex Monkwrote: > Hi all, > > With some help from Brandon, I've changed deployment-prep to use Let's > Encrypt instead of the self-signed cert I added last year (to get HTTPS > working - albeit improperly-signed - instead of nothing, and nginx/puppet > working on the Varnish instances again). > It should now behave much more like production - TLS redirects are enabled > in Varnish, and you shouldn't have to ignore cert warnings to use it now. > Details for HTTPS in deployment-prep are spread out over various tickets, > but the main one now is https://phabricator.wikimedia.org/T50501 > The puppetisation still needs some work, but it's cherry-picked on > deployment-puppetmaster and seems to be working reliably. > > Pages with images may need to be null-edited to make MediaWiki generate > HTTPS URLs for them so browsers don't block the images. > Please let me know if you find any beta.wmflabs.org domains that aren't > covered by the cert or aren't redirecting HTTP to HTTPS in Varnish. > > -- > Alex Monk > > ___ > Ops mailing list > o...@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/ops > > ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l