Have HTTPS on all the subdomains of tails.boum.org

To be on Firefox’s HSTS preload list, one has to be on Chrome’s list. To be on Chrome’s HSTS preload list, one has to use the includeSubdomains option in the HSTS header. So, in order to have tails.b.o on these lists, we need valid certificates for all our subdomains of tails.b.o, otherwise various pieces of our infrastructure (e.g. Jenkins) will be unreachable (major browsers don’t let you validate a self-signed certificate by hand, if HSTS is enabled for this domain).

To do so, we can either:

a. Get a commercial wildcard certificate for *.tails.boum.org.
b. Get Let’s Encrypt certificates for each one of our subdomains.

Parent Task: #8191 (closed)

Related issues

Related to #8143 (closed)
Blocks #9102 (closed)

Original created by @intrigeri on 8192 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information