In order to do enable TLS termination on the appservers, we need to configure tlsproxy to work on the appservers. Since we don't want to expose our own public TLS certs on the appservers, we need to be able to sign a certificate similar to our unified one for each of the backend clusters, which should include the FQDN of the cluster (e.g. appservers.svc.eqiad.wmnet) as common name and all our domains and wildcards as SANs.
Related Gerrit Patches:
|operations/puppet : production||mediawiki: add https endpoints for all web clusters in codfw|
|operations/puppet : production||role::mediawiki::webserver: add hack to allow installing nginx|
|operations/puppet : production||ssl: add public TLS certs for mw clusters|
|operations/puppet : production||puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert|