HTTPS doesn't seem to be working for the root domain, but subdomains are fine

I have a domain configured with a certificate for https://{domain} and another for https://www.{domain}. The latter works fine, but I can’t seem to connect to https://{domain} from any browser except Safari on Mac, and that is only occasionally.

I’ve tried deleting and recreating the certificate, but that doesn’t help. As stated, https://www.{domain} works fine. This only happens to one of my apps, though it is by far the most trafficked one I have.

The domain is configured as an ANAME in name.com’s DNS system, if that’s of any help.

Can you send me your domain name privately so I can take a closer look? If both hostnames have been added to your app, it should work.

I can connect to both hostnames fine from multiple browsers.

I’m pretty sure this is because your app gets a huge amount of traffic and we’re enforcing limits on it. We’re queueing TLS handshakes. We only allow ~30 concurrent TLS handshakes per SNI or per IP block (separate limits) per server. In your case, the SNI limit is being enforced. We then queue up to 10K handshakes, we shed the load past that point.

I might be able to play with this limit a little bit, but it looks like you’d need closer to 150 handshakes per second per server.

Thanks. I guess I need to reduce my traffic somehow! :thinking:

I’ve made some tweaks. After raising the limits, we were hitting different resource limits on our servers.

Every app has its own “isolate” which runs a single-threaded runtime for everything. I’ve now switched that to a multi-threaded runtime (limited to a few threads) and this appears to have fixed the issue.

Performance is not as good as I’d like them to be, so I’m still tweaking settings (like number of threads).

Will keep updating this post as I make progress.

1 Like

I’m still tweaking things, but I believe this is resolved everywhere but a few small regions getting a large amount of handshakes (India and Singapore).

1 Like