Re: [Wikitech-l] [Ops] deployment-prep using valid certs for HTTPS

[Bryan Davis]

On Tue, Aug 2, 2016 at 3:51 AM, Alex Monk  wrote:
> Hi all,
>
> With some help from Brandon, I've changed deployment-prep to use Let's
> Encrypt instead of the self-signed cert I added last year (to get HTTPS
> working - albeit improperly-signed - instead of nothing, and nginx/puppet
> working on the Varnish instances again).
> It should now behave much more like production - TLS redirects are enabled
> in Varnish, and you shouldn't have to ignore cert warnings to use it now.
> Details for HTTPS in deployment-prep are spread out over various tickets,
> but the main one now is https://phabricator.wikimedia.org/T50501
> The puppetisation still needs some work, but it's cherry-picked on
> deployment-puppetmaster and seems to be working reliably.
>
> Pages with images may need to be null-edited to make MediaWiki generate
> HTTPS URLs for them so browsers don't block the images.
> Please let me know if you find any beta.wmflabs.org domains that aren't
> covered by the cert or aren't redirecting HTTP to HTTPS in Varnish.

This is really cool and another recent example of Alex grinding out
the steps to close a long standing feature wish for the beta cluster.
Thanks!

Bryan
-- 
Bryan Davis  Wikimedia Foundation
[[m:User:BDavis_(WMF)]]  Sr Software EngineerBoise, ID USA
irc: bd808v:415.839.6885 x6855

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] [Ops] deployment-prep using valid certs for HTTPS

[Sam Smith]

Thank you for your work on this Alex and Brandon.

-Sam

On Tue, Aug 2, 2016 at 11:51 AM, Alex Monk  wrote:

> Hi all,
>
> With some help from Brandon, I've changed deployment-prep to use Let's
> Encrypt instead of the self-signed cert I added last year (to get HTTPS
> working - albeit improperly-signed - instead of nothing, and nginx/puppet
> working on the Varnish instances again).
> It should now behave much more like production - TLS redirects are enabled
> in Varnish, and you shouldn't have to ignore cert warnings to use it now.
> Details for HTTPS in deployment-prep are spread out over various tickets,
> but the main one now is https://phabricator.wikimedia.org/T50501
> The puppetisation still needs some work, but it's cherry-picked on
> deployment-puppetmaster and seems to be working reliably.
>
> Pages with images may need to be null-edited to make MediaWiki generate
> HTTPS URLs for them so browsers don't block the images.
> Please let me know if you find any beta.wmflabs.org domains that aren't
> covered by the cert or aren't redirecting HTTP to HTTPS in Varnish.
>
> --
> Alex Monk
>
> ___
> Ops mailing list
> o...@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/ops
>
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l