Page MenuHomePhabricator

Move domain name registration and SSL to AWS
Closed, ResolvedPublic


We currently use a mixture of AWS and other services for both domain name registration and SSL. We should consolidate these services into AWS so everything can be managed in one place.

This probably looks like:

  • Add ALBs in front of the notify tier and terminate SSL there.
  • Switch all SSL to AWS.
  • Transfer registration to AWS.

Doing the SSL bit first makes sure we don't possibly get into a tricky spot where we need to get an external SSL certificate for an AWS domain. Although this should be something we can reasonably do (i.e., should just require we click a link in an email) it's possible we might not be able to do it as quickly as we'd like ("fax a notarized document on company letterhead") and we avoid this risk by doing SSL first.

These are Phabricator-related domains which we own but which are not currently registered through AWS:


A handful of these (although none of the important ones:,, may also be on third-party DNS.

Transferring may be some sort of weird mess since AWS doesn't appear to support .io registration, but maybe there's no issue.

Once this is all done, it would be nice to put a small "parking" tier into production and send all of the unused domains there, then have them redirect web traffic to appropriate destinations.

Revisions and Commits

Restricted Differential Revision

Event Timeline

epriestley added a revision: Restricted Differential Revision.Sep 12 2017, 5:17 PM

I can go request these certs via the AWS cert manager. We can also do it via CloudFormation, which will reduce the number of clicks significantly (and make it trivial to request all the same certs in multiple regions.

Let's make sure all the SSL is swapped first just so we don't get into trouble if we make it halfway, run into issues, and something expires, but that's be helpful once SSL is in the clear. I'm not sure if nlb was the last case of SSL terminating somewhere other than LBs or not, but I think there's one left that I just don't remember offhand.

Yeah I'm just talking about requesting the SSL certs, not moving the domains. Unless I'm missing something, I don't think there's any way to get stuck just by getting the certs ready.

Oh, sorry, misread -- that makes more sense. is the only one we serve anything from ourselves right now, and I think the only one we have plans to serve anything from.

epriestley added a commit: Restricted Diffusion Commit.Sep 12 2017, 5:32 PM

Switch all SSL to AWS.

I actually think we're doing all SSL termination on LBs now, so it's just an issue of moving SSL certificates over. These are the LBs that need to swap, I believe. These are roughly in order of lowest-risk to highest-risk:

  • plb001 uses external, should use AWS (
  • slb001 uses external, should use AWS (
  • alb001 uses external, should use AWS (
  • lb001 uses external, should use AWS (all instances on

These already use AWS SSL:

  • nlb001 (ongoing, T12978).
  • snlb001 ( websockets).

If you want to fix that stuff, be my guest.

I'm not sure if you can issue transfer requests for the actual domains from AWS (it looks like you can? Route 53 -> Transfer Domains?), but feel free to trigger those if you can once we swap SSL and I'll complete the process when it emails me.

amckinley added a revision: Restricted Differential Revision.Sep 12 2017, 5:51 PM

Just sent a cert request for (Actually it should be two, one for each region).

I haven't gotten any emails yet so I may have to go muck with the WHOIS stuff and make sure there's a valid email somewhere -- itself has no mail or MX records.

I moved SSL and registration for to AWS in T13113 so this is just a transfer issue now.

epriestley closed this task as Resolved.EditedMar 28 2018, 5:04 PM
epriestley claimed this task.

After clicking 17,000 emails I successfully transferred everything to AWS, with some minor caveats:

  • is still pending, but the transferring registrar has already confirmed it so I think this will sort out on its own.
  • Some domains don't have meaningful DNS; some do but don't point anywhere. In theory, it would be nice to park them on some box eventually. But this stuff is all controlled in AWS now so we can just do it when we decide to get around to it.
  • Some are probably kind of pointless (,, but at ~$10/year they aren't really hurting anything.