Over 20 seconds to open site after renewing SSL certificate!

Hi Seth,

Thanks for quickly getting back to me. I will cc the server person and
developer on the email to resolve this quickly .

We are using AWS. I don’t think server hardware is a issue.

Thanks,
Manny

I have a similar problem. I have an instance in AWS LightSail, I set up for the plan with 4GB RAM and 2vCPU. I installed the LetsEncrypt certificate last week and my entire site started to get slow. Including the management part of Wordpress.

Could this have to do with some configuration of my certificate? Does it need to configure something to redirect http to https? Could this be slowing down the site?

Thank you in advance for your help.

Hi Bruno ,

We didn’t have this problem earlier .

This happened last week for us also !!!

We updated the certificates and all the sites are senile now !

We have a AWS setup similar to yours. We trouble shooted like crazy by eliminating one component at a time and concluded it’s the SSL.

I suspect something changed at let’s encrypt or AWS side which is now conflicting .

1 Like

Given the way SSL/TLS works, it is close to impossible that a change on the CA side could affect performance this way.

That said, something that could certainly cause this is an issue with the web server configuration. If you used certbot with the apache plugin, which automatically modifies your apache configuration to enable HTTPS, it could even be specific to the HTTPS vhost if the configuration was written in a way that would cause certbot to get confused. If disabling HTTPS reproducibly reduces the loading time, that’s certainly a possibility.

It would be useful if you could share all apache configuration files that were changed from the default configuration (i.e. the configuration after a clean install of apache), plus the files added by certbot (if you used certbot with the apache plugin), plus possibly any relevant logs from apache’s error log.

2 Likes

Thanks for the answers Manny and Patrick. I followed this article to make the settings on my server: https://digitaldavo.wordpress.com/2016/01/13/using-free-letsencrypt-https-ssl-on-bitnami-lamp-on-ec2/

It’s certainly a problem with Apache as Patrick commented, but I have not figured it out yet.

I’ll try to post here the data that Patrick asked for.

hi @brunoliveiralcantara @Manny

can we try doing this in a scientific manner?

for example have either of you reached out to amazon to check if there are any datacentre issues or network speed issues?

Start with the observed root cause:

The websites are loading slow

Work on likely possibilities

A) Servers and Networks are slower (have either of you ruled this out)
B) Have you compared HTTP only loads vs HTTPS loads
C) What is the CPU and RAM usage of your servers
D) Do you have any historic records and is the usage higher
E) Have you made any changes (updating OpenSSL libraries, updating Apache/Ngingx)

Generally saying the renewal made things slow down without a shred of evidence or a structured approach is not an approach I would use (and I have been involved in troubleshooting lots of slow applications)

Andrei

1 Like

HI

A) Servers and Networks are slower (have either of you ruled this out)
ANS :- I am Useing AWS t2.medium and my http sites working fine. Issue in https only

B) Have you compared HTTP only loads vs HTTPS loads
ANS :- I am useing Instance to Instance LB. For testing i have stopped my loadbalancer.

C) What is the CPU and RAM usage of your servers
This is my server t2.medium vCPU 2 Memory 4MB. And uses is fine.

D) Do you have any historic records and is the usage higher
NO
Have you made any changes (updating OpenSSL libraries, updating Apache/Ngingx)
No only add new domain and run ssl add command. But my ssl renew one day back for all after that sites are slow.

HI brunoliveiralcantara

As per my finding I have not updated Apache and not changes made recently .

Here is my CPU and Memory uses
CPU
load average: 0.02, 0.08, 0.03

Memory
total used free shared buff/cache available
Mem: 3950 356 2963 81 630

My server apache conf files

<VirtualHost *:80>
ServerName bizweb360.com
ServerAlias www.bizweb360.com

RewriteEngine On
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]

<VirtualHost 172.31.56.43:443>
ServerName bizweb360.com
ServerAlias www.bizweb360.com

DocumentRoot /var/www/html/domain/oATvjLPiuy
# SSL Certificate settings
SSLEngine on
SSLCertificateFile      /etc/letsencrypt/live/www.bizweb360.com/fullchain.pem
SSLCertificateKeyFile       /etc/letsencrypt/live/www.bizweb360.com/privkey.pem
#SSLCertificateChainFile /etc/letsencrypt/live/www.bizweb360.com/chain.pem

BandWidthModule On
ForceBandWidthModule On
BandWidth all 8048

CBandLimit 1G
CBandExceededSpeed 128 5 15
CBandScoreboard /tmp/scoreboard/bizweb360.com.scoreboard
CBandPeriod 4W
<Location /cband-status-me>
RewriteCond %{REQUEST_URI} !=/cband-status-me
SetHandler cband-status-me
</Location>

<Directory /var/www/html/domain/oATvjLPiuy>
        DirectoryIndex index.html default.php welcome.php index.php
    Options Indexes FollowSymLinks Includes ExecCGI
    AllowOverride All
    Require all granted
</Directory>

ErrorLog /var/log/apache2/bizweb360.com-error.log

Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.
LogLevel error

CustomLog /var/log/apache2/bizweb360.com-access.log combined
1 Like

One easy check to see if the speed is an HTTPS issue (either cert or config) is to put up a static file, something somewhat large like a 50 megabyte image and then time downloading it over HTTP and HTTPS using a tool like cURL. Obviously, you can’t have a redirect in place for this test.

Since the server just has to serve a static file, any major speed difference between the two attempts will mostly eliminate the application software as a point of problem.

So for all of the people having slowness problems, have you tried downloading a single large static file over HTTPS to see if that is also slow?

The original user complaining about this, @Manny, has a site where downloading a large JPEG file takes a long time (several minutes!), so there is some underlying problem that makes everything slow. That’s not necessarily the case for every site.

Similarly, have you all tried using something like the Chromium/Chrome developer tools where it displays the times that each resource took to load, and the reasons that each took a particular amount of time?

Hi ,

This site is encrypted through Let’s encrypt also, but doesn’t have the loading time issue .

It is on the same server everything is Same except the site certificate has not been renewed yet after the original setup .

We will removed the ssl and ran the bizweb360 site on a different server it was fine . We are going to do the same on this server and run the site on http and see .

Manny

I might be missing something, but the documentation for mod_bw indicates that …

BandWidth all 8048

… limits the bandwidth available to each client to 8048 bytes per second. This roughly matches the speed at which I can load the site. I haven’t waited for the full site to load yet, but it’s definitely > 1MB, so a limit of 8 kbyte/s seems rather low here.

(I’m not familiar with mod_cband, but I’d double-check whether any of those directives introduce similar limits.)

3 Likes

Yes I am checking this May be this bandwidth is doing issue.
Thanks

@Manny @Zaffar

One other difference between your wam360.com site and your bizweb360.com is that the wam360 site uses what seems to be a cdn. Most of the content is served up from what looks like a cdn (cdn.wam360.com) which could explain why the wam360 site is not having issues with loading

Andrei

1 Like

Hi,

Thanks for all the help. We were able to fix the issue. The download speed as pointed out was 8 Kb which had been changed . We couldn’t find out the reason , but the site is working fine now .

Thanks
Manny

The observation from @ahaw021 seems like it might have impacted things too. Maybe something about the switch to HTTPS caused more page resources to be served directly from your site (which was configured to significantly limit download speeds) instead of indirectly via the CDN (which would have given people a fast download). So, now that you’ve fixed up your origin server, you might also want to check which resources are now coming from the CDN and whether you’re getting the speed benefits from the CDN that you expect.

I’m glad that HTTPS itself is not responsible for the performance problems and that they’ve been resolved successfully.

1 Like

I’ve had a similar experience where web server issues started right after a certificate renewal. In our case someone had modified the Apache config file at an earlier time–but did not have Apache reload the config. When the cert renewal ran, the config files were reloaded and the problematic config file changes caused a server failure.

1 Like

Running your site through WebPageTest, looks like changing your site over to using HTTP2 will give you a significant speed boost.

Time to serve HTML asset on your site could use a bit of TLC.

Since you’re running WordPress the procedure for speeding up your site is fairly well known + straight forward. WPT contains many write ups about how to speed up serving your initial HTML asset.

Thanks for the info. We will try it out.