On 9 Jul 2026 , it was reported that some The Things Indoor Gateway Pro (TTIG Pro) gateways lost connection to the LNS for some users in EU1 region. This was triggered by certificate renewal issue. Once the remediation was in place, the affected gateways started reconnecting.
The certificate serving port 8889 expired on Jul 9 09:21:27 UTC. This port is used exclusively by TTIG Pro gateways for their WebSocket connection to the LNS.
Certbot had already renewed the certificate before expiry and stored the new YR-signed certificate in the proxy_tls secret in AWS Secrets Manager. However, the secret was not synced by the GatewayProxy (Envoy) service. As a result, Envoy continued to serve the expired R12 certificate from memory, causing all TTIG Pro TLS handshakes to fail with certificate verification error.
The fix was applied by restarting the GatewayProxy ECS task on each affected cluster, which forced Envoy to re-read the proxy_tls secret from Secrets Manager on startup and load the already-renewed YR certificate.
Investigate why the renewed certificate was not synchronized to Envoy and implement a permanent fix to ensure certificate updates are automatically reloaded before certificate expiry. Additionally, improve monitoring and alerting to detect certificate synchronization issues before they can impact customer traffic.