On April 17th, 2020, StackPath conducted scheduled maintenance to correct an issue with the CDN that caused non-SNI clients to receive an incorrect SSL certificate when making requests. The maintenance plan was to assign the correct default certificate to the anycast IP address used by the StackPath 2.0 CDN.
At 14:50 UTC the maintenance began with our Operations team monitoring the platform for impact as an extra precaution. At 14:54 UTC StackPath Platform Operations team observed impact to CDN properties where test requests for custom domains were no longer receiving the proper SSL certificate. The maintenance had caused the CDN to no longer see other SSL certificates as being valid for use. This resulted in only the *.ssl.hwcdn.com certificate being returned. The maintenance changes were immediately reverted. Re-enabling the entire SSL certificate pool required the StackPath Platform Operations team to restart services across the CDN, which started at 16:06 UTC and at 18:20 UTC StackPath confirmed all services were fully restored. This was done one delivery POP at a time in each major market (US, EU, APAC, etc) to ensure stability as SSL traffic resumed.
April 17th, 2020 (UTC)
14:50 – Maintenance to fix non-SNI clients began.
14:54 – The maintenance team and StackPath Platform Operations team observed traffic on StackPath 2.0 experienced a significant impact.
14:59 – StackPath Support begins receiving client reports of SSL certificate errors.
15:04 – Engineers working on the SNI maintenance revert their changes. The Software Engineering team is engaged to investigate why the roll back plan was not successful.
16:00 – A DNS change was made to redirect StackPath 2.0 customers to a different anycast IP address which was confirmed unaffected.
16:06 – The Platform Operations team began restarting services CDN-wide in staggered fashion to minimize additional impact.
17:28 – StackPath confirmed all services in all locations completed.
18:20 – After monitoring the situation the StackPath Platform Operations team confirmed the issue is resolved.
Customers utilizing custom SSL certificates on the StackPath 2.0 CDN platform received an invalid SSL certificate error when making requests to the CDN between 14:50 to 17:28 UTC.
StackPath is working to determine the root cause of why this planned maintenance caused the CDN to no longer allow the use of custom SSL certificates. This maintenance has been placed on hold indefinitely until a root cause is determined and a new method of procedure is developed.
StackPath Platform Support