DownNotifier.com reports "unknown SSL error"

I use DownNotifier

to monitor several websites run on a small VPS. That service runs a check every minute to see if the website is running. It does this by looking for a specific bit of text on a website. In the case of

it's configured to look for "radio". This seems better than the sites that just check if a website is serving web pages, which might be an error message. It also runs a check of SSL certificates - mainly to warn of when they are expiring. For the last couple of weeks it keeps emailing me and texting me to say "Unknown SSL error". Then I get another to say it's working okay. I've not had one saying it can't find "radio" on the webpage, which it would do if the site was seriously screwed up. Although it checks the website once/minute, I think it only checks the SSL certificate every 15 minutes or so.

I have not changed anything on the server for many months - in fact another website on the server has had a 100% uptime since May of last year, which is pretty good going for a VPS costing me £1.20 per month (around $1.50/month), I've tried reloading apache but that did not solve the problem. I then decided to reboot the server, which again did not solve the problem.

I've checked the renewal date on the SSL certificate, and that was before the reports of an unknown SSL certificate kept coming in. I'm tempted to think that the problem is with DownNotifier, but it's strange that it is only happening with one website which is virtual host on the same server as several other sites.

https://kirkbymicrowave.com (which redirects to the above)
https://g8wrb.co.uk/

Any suggestions?

My domain is: dhars.org.uk

I ran this command: Runs from certbot version: 2.9.0

It produced this output:

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): Linux debian 4.19.0-26-cloud-amd64 #1 SMP Debian 4.19.304-1 (2024-01-09) x86_64 GNU/Linux

My hosting provider, if applicable, is: Ionos

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I'd tend to think it'd have to be, if it can't specify what the problem is. Both the ssllabs.com test and testssl.sh complete against kirkbymicrowave.co.uk without errors and with a score of "A".

I guess it could be the case that your VPS is resource-starved, such that it occasionally can't respond properly. That would be consistent with the intermittent nature of the errors you're seeing, but wouldn't explain why you're only seeing them on one virtual host.

4 Likes

Hello @drkirkby , you may want to contact DownNotifier asking them to elaborate a bit on the message "unknown SSL error".

4 Likes

That was going to be my next step. I just wondered if someone here was going to suggest getting another certificate, although the fact that the date of the reports starts was after the last certificate was issued, made me suspicious it is them.

I doubt the site is resource limited. Admittedly is only has one virtual CPU, 1 GB RAM and 10 GB of disk space, but none of the sites are that demanding. They are all static PHP pages with no database, cgi scripts or anything else I can think of that would use much resources. I just checked "top" on linux and it gives the 3 load averages for 1, 5 and 15 minutes all as 0.00. I wish I could say my company website was so active that I needed to use Amazon servers to run it, but it would probably run quite happily on a Raspberry Pi.

I wouldn't. An expired cert or faulty cert config is easy to identify and we don't see any problems with those (see SSL Labs and other cert testing sites). I'd think downnotifier would report a "bad" cert more clearly. This is likely some sort of comms issue maybe even ciphers or similar. Or even just a down notifier problem itself.

Does anything show in your Apache error logs? Between that and contacting down notifier you should be able to sort it. Get a time from them of a failure and match to your logs.

4 Likes

I have tried looking in the logs and not seen anything. I will however have a more careful look, checking the time they send the email to the logs. I think they check SSL problems about once per 15 minutes, whereas they check the homepage is working once per minute on the plan I'm on ($20/year) or every 5 minutes on the free plan.

I sent them an email asking if they have any ideas, and pointed them to this forum.

I just looked at the monitoring for this website, and see they it has not been available for 5 periods this year, totaling 8 hours and 4 minutes. (I also see it checks for DHARS, not radio as I said earlier, but essentially it checks if the homepage is showing sensible things.)

04-03-2024 00:26:47 04-03-2024 04:27:08 4 hours, 0 minutes Website does not contain "DHARS". show log
01-03-2024 23:56:14 02-03-2024 03:56:42 4 hours, 0 minutes Website does not contain "DHARS". show log
29-02-2024 23:56:16 29-02-2024 23:58:30 2 minutes Website does not contain "DHARS". show log
22-01-2024 10:45:52 22-01-2024 10:46:55 1 minute Website does not contain "DHARS".
19-01-2024 01:26:16 19-01-2024 01:27:00 1 minute Website does not contain "DHARS".

In contrast, on another website on the same server, there are no reported problems this year, with the last downtime being in May last year. (I did cheat a bit the other day when I rebooted the server, as I rebooted it immediately after they had checked the site. The reboot took less than a minute so was not detected.)

|26-05-2023 13:37:54|26-05-2023 16:04:29|2 hours, 26 minutes|Website does not contain "attenuator".
| --- | --- | --- | --- | --- |
|26-05-2023 13:25:30|26-05-2023 13:35:48|10 minutes|Website does not contain "attenuator".||
|15-05-2023 00:36:08|15-05-2023 00:36:40|1 minute|Website does not contain "attenuator".||
|15-05-2023 00:32:32|15-05-2023 00:33:55|1 minute|Website does not contain "attenuator".||
|15-05-2023 00:18:33|15-05-2023 00:19:57|1 minute|Website does not contain "attenuator".||
|15-05-2023 00:04:18|15-05-2023 00:04:50|1 minute|Website does not contain "attenuator".|

I've had a few VPS's from Ionos, and always take the offer of a 30-day free trial. Some seem pretty unreliable, but for some reason I seem to have struck lucky with this one, with no downtime since May of last year, and that was me doing some maintenance. Not bad service for £1.20/month (around $1.50/month). Although I said the others have been unreliable, they have still given me 99.9% availability over a month, but I'm getting a lot better on this VPS than I've had on other VPSs from the same company.

Your Apache error log should show something if they reach your server and get some error. If you don't see anything in that error log then it is more likely a simple timeout of them not reaching you. This is probably more likely and the reason the error is not described. Timeouts could be on their end as easily as yours. But why some of your domains and not others I don't have good suggestion. Unless they have assigned your domains to different sections of their own infrastructure.

You might try turning on debug level error logging. Or, at least info level. You won't want debug level on permanently.
https://cwiki.apache.org/confluence/display/HTTPD/DebuggingSSLProblems#DebuggingSSLProblems-EnableSSLlogging

You might also try some other "uptime" service as comparison. If both services report similar failures you know the problem lies closer to your end.

5 Likes

Do you restart/reload apache when your certs renew? If not then the webserver could hold onto an expired certificate. Occasionally (depending on the web server) different processes can be working with different versions of the cert e.g. one still in memory and one recently loaded from disk.

I use statuscake.com, which works well.

3 Likes

I have both reloaded apache, and even rebooted the machine, but still the problem persists.

I've used Downnotifier for years, and found their support excellent in the past, but I can't seem to get a response to my email on this topic. I just registered on statuscake you mentioned. One thing I noticed about that, is that it does not seem to offer the ability to check for specific text on the website. With downnotifier, if someone was to hack my site and alter the homepage I would know about it because they are unlikely to leave the word that downnotifier is looking for. Also their cheapest paid for service is only $15/year, which I find adequate, whereas the cheapest non-free statuscake service is about 10x that cost. But I'll try the free version of statuscake for now.

1 Like

As an aside, the easiest way to avoid your website being hacked is to close all unused ports (and if using SSH either only allow your own IP or use something like tailscale private vpn so you can close the port altogether) and ensure you are running up to date versions of your operating system and webserver.

Using a (free) service like Cloudflare to host your DNS and proxy your site helps put some defenses in front of your site that you otherwise would probably not have.

1 Like

With modest programming skills you can make something that does that.

Example using Windows use powershell invoke-webrequest to retrieve the page and then use one of the string search options to check for your key string. It is not more than a few lines of code.

I don't know how to inspect the cert details with powershell but you could install and use openssl for that. Or various other programming languages have options to parse the x509 details of a cert of an https connection. This becomes a home-grown cert monitor. Although, there are many available online and pretty sure many are free.

2 Likes

I have been running that since 15th March now, and so far it reports 100% uptime every day, whereas downnottifier reported multiple outages, including one yesterday for 16 minutes. I have turned off the unknown SSL error notifications from Downnotifier, It does rather suggest that they have a technical problem, and are not responding to my request for support. I don't know if that's a one-person business, and it could be they are ill or something, have technical problems and are unable to resolve them. I pay them with PayPal, but it is only $15/year, so I will give them the benefit of the doubt over this. But the service is pretty much useless if it is reporting spurious errors, and them not responding to my requests for support. But I have used them for 5 years or more, and have been satisfied with the service, so I'm not going to push this further.

I did note an unusually large response time of 1.3 s from the statuscake report. I need to look into this, but there seems 3 spikes in the response time with what appears to be an equal space between them. That's possibly a cron job running. There are a couple that run once/day, which to be honest could probably be chanced to once/month as I don't update the site that often.

2 Likes

Here is a list of issued certificates crt.sh | dhars.org.uk
This certificate is being server for crt.sh | 11833951992 dhars.org.uk and www.dhars.org.uk
as shown here:

Yet the latest issued certificate is 2024-02-29 for www.dhars.org.uk only.

Both domain names look good here:

I suggest the issue is with downnotifier.com, check with their community support forms and their customer support.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.