https://commons-query.wikimedia.org somehow redirects to the appserver cluster for a rewrite rule but ALSO exists as a virtual host on miscweb machines.
But it has not been added to the TLS certs used by envoy on miscweb* machines. So apparently something speaks to it unencrypted on port 80!
So you have a virtual host but if you ask the machines for it over TLS you get a certificate error that this is not on the cert.
Since we put effort into making everything else use TLS from the caching servers and terminate with envoy and because this causes monitoring alerts or workarounds.. we should get this cleaned up.
Also we should probably drop access to port 80 from external completely to prevent this from happening with new sites and so that we can rely on TLS being used for everything.
Needs coordination with maintainers of the service of course.