This issue has been biting us a lot recently (where "this issue" == "people's browsers requesting https: beta address and it failing"). Let's fix this finally.
(feel free to edit this description with clarifications/additions)
- buy real certs (T50501 and https://rt.wikimedia.org/Ticket/Display.html?id=6116)
- Still needs cost approval, @greg can work on that
- glorious future of letsencrypt.org would reduce this cost to $0, but we shouldn't wait on that ("Arriving Summer 2015")
- make new labs project, restrict access a lot
- just ssl terminate there, proxy back to regular deployment-prep setup
This gets us:
- Lets us set the config like prod (https by default for login etc)
- No self-signed certs!
- no breaking browser tests (though that's fixable)
- no annoying users with cryptic warnings
- Members of the Beta Cluster project can have sudo without access to the private certs (see T71269)