Incident report 2026-07-10

Information
Report date: Friday 10 July 2026 Incident occurrence: Thursday 10 July 2026 Incident duration: Approximately 6 hours 20 minutes Status at report date: Resolved  

Systems affected
BookVisit, Citybreak Online, Sales Agent

Customer/end-user impact
All customers using BookVisit-powered booking sites and Citybreak Online were unable to complete
online bookings during the incident window. Sales Agent booking flows were also impacted. Customers
encountered errors including “Error Code 1” and “an error occurred, please reload the homepage” when
attempting to add items to their basket or proceed to checkout. The issue affected multiple customers
simultaneously across all tenants using these services.

Timeline
• 2026-07-10, 02:06 CEST: First customer report received via support line — BookVisit booking failing
with “Error Code 1.” Customer confirmed the same error on five other hotel sites using the platform.
• 2026-07-10, 08:02 CEST: Internal confirmation that all BookVisit sites were down and Citybreak
Online was failing with a certificate validation error. Incident raised in the engineering escalation
channel.
• 2026-07-10, 08:15 CEST: Broader impact confirmed — nothing bookable online or through Sales
Agent. Urgent escalation initiated.
• 2026-07-10, 08:22 CEST: Engineering and platform leadership engaged. Manual certificate renewal
process initiated on the production server.
• 2026-07-10, 08:22 CEST: BookVisit confirmed restored. Citybreak Online confirmed restored shortly
after. Incident marked as resolved.
• 2026-07-10, 09:43 CEST: visit.com, also affected, confirmed back online.

Root Cause Analysis
The outage was caused by the expiry of TLS certificates used by BookVisit, Citybreak Online, and Sales
Agent. These certificates are issued via Let’s Encrypt and are managed by an internal automated renewal
service running on a production server.
Investigation revealed that this renewal service had been crash-looping continuously and had never
successfully completed an automated renewal cycle. The root cause of the crash-loop was that the
service was pinned to a specific version of the .NET 6 runtime that was not installed on the production
host, preventing the application from starting. As a result, certificates were never renewed before they
expired.
A secondary contributing factor was a misconfigured port in the server’s reverse proxy, which meant the
renewal endpoint was not correctly reachable even when the service was running. The failure was visible
in deployment logs, but no monitoring or alerting was in place to surface it before customer impact
occurred.

Investigation/Resolution Actions
• Escalated to engineering leadership and platform team upon internal detection of the outage.
• Identified an existing internal renewal tool on the production server and manually triggered the
certificate renewal process via the production VPN.
• Applied a .NET runtime roll-forward configuration to allow the renewal service to start despite the
missing pinned runtime version.
• Corrected the reverse proxy port configuration so the renewal endpoint is correctly reachable going
forward.
• Confirmed service restoration across BookVisit, Citybreak Online, and Sales Agent by verifying live
customer sites.
• Updated the public incident status page to resolved.

Preventive Measures & Next Steps
• Replace or fully harden the internal certificate renewal service to ensure reliable, automated renewal
with a clear owner and operational runbook.
• Implement proactive monitoring and alerting for certificate expiry (minimum 30 days’ notice),
renewal failures, and renewal-service health — so issues are detected before customers are
impacted.
• Remove the runtime version pinning fragility by ensuring required .NET runtimes are validated as
part of the deployment pipeline, with startup smoke tests to catch failures early.
• Establish clear ownership of the renewal service within the platform team, with defined on-call
responsibilities and a reviewed runbook.
• Review the first-response process for overnight support contacts to ensure multi-tenant production
issues are escalated to engineering faster.

Conclusion
On the morning of 10 July 2026, a failure in our internal certificate renewal automation caused TLS
certificates to expire undetected, taking BookVisit, Citybreak Online, and Sales Agent offline for all
customers. The underlying automation had been silently failing for an extended period due to a missing
runtime dependency and a misconfigured network port, with no alerting in place to surface the problem
before it reached production impact.
Service was restored within approximately 20 minutes of the engineering team engaging, through manual
renewal of the certificates on the production server. We recognise that the time between the first
customer report and our internal response — approximately six hours — is not acceptable, and improving
our overnight alerting and escalation process is a priority.

3 Betroffene Dienstleistungen:

Visit Group |  Kungsgatan 34-36 |  411 19 Göteborg |  Sweden |  +46 (0)31 38 06 000
www.visitgroup.com