I ran this command: as many commands as I found in forums (openssl s_client, curl, nslookup)
It produced this output: None of then produced something useful to solve the problem
My web server is (include version): Apache 2.4.25
The operating system my web server runs on is (include version): Debian 9
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.37.1
Here is my problem: I’ve been using certbot for the last six months without any problem. Never seen any kind of slowdown on incoming connections due to ssl problems, but last Thursday (Jan 09) my certificates got renewed, and since then my web sites became very slow. First thing I saw was that in Chrome console on network tab the ssl phase is taking at least 29 seconds to complete after the request starts. It feels very strange because I’ve never had any similar problem before, and now I can’t seen to debug, because every tool I found looking into related forums didn’t gave me any clue, except for the slow response.
I’m not much experienced in debugging network related problems, because i never had to, so any help is welcome. Plus, I don’t know how to check if there is any problem with https certificates validation on web browsers.
There’s a couple of things that makes me think this is an MTU issue:
Initial TCP connection always results in a retransmission
ServerHello always arrives pretty much exactly 30 seconds after the ACK of the ClientHello, which makes me think it is a retransmission and the round number is a result of RTO calculation.
Try drastically reducing your MTU and seeing whether that helps at all:
Very slow isn’t the correct word to explain the problem. In fact, there are situations that the site simply load in normal speed, but there are times it gives us a timeout because of the ssl. I’ve just updated the post with an image of my console. There is a redirection from port 80 to port 443, which may cause misleading results in some testing sites whose don’t allow us to inform the correct protocol.
Maybe there was some interference between my network connection and let’s encrypt. I just arrived at my office and miraculously things are working fine. I don’t know if it was some internet related problem, because my internet provider is full of problems, or maybe just some misconfiguration on the data center. Anyway, now it’s working, but I will dig out to understand what could be the reason for the problem.
Thank you all for your help, your comments where very useful. Hope to talk to you again in a less problematic situation. If you ever come to São Paulo - Brasil, i’ll pay the lunch.
