Brief overloads at midnight UTC (a request for help!)

mcpherrinm · June 23, 2022, 5:30pm

Let's Encrypt gets a lot of traffic, as you might imagine, but it's usually fairly spread out except for some notable peaks.

We've had some overload issues at the biggest peak throughout June at midnight (00:00) UTC, and it lasts for 15-20 seconds. We're working on various projects to scale and improve that, but those may take some time and it would be helpful to move load away from that peak.

We've identified a particular client, lego-cli, which appears to be used in some of the biggest spike. The lego-cli authors have helpfully added a random sleep to help smooth it out which will be great when people upgrade. And be sure to check out the graph linked in that issue to see the scale of the spikes.

We suspect there's some software package that's shipping lego-cli as a cronjob or similar which is running every day at midnight, utc. However, I haven't been able to find what that is. It must be popular however, for the wide variety of domains we're seeing in these load spikes. Do you know what that might be? Any leads would be helpful here.

If you're an author of a software package, or an administrator of a system, please don't schedule jobs to run exactly at midnight. It'll be less reliable for you, and cause me more pain!

Osiris · June 23, 2022, 6:57pm

Maybe its Docker container identifies as lego-cli?

It's e.g. used by dokku-letsencrypt, although that seems to have the version pinned to an older version than the mostly used in the spikes, so Dokku itself isn't the issue. But the Docker container in general might?

That container seems to be used in at least 105 pieces of code on Github.

Although I can't explain why 4.6.0 is the mostly used version in the peak when the Docker container of 4.7.0 has been published a month ago..

JamesLE · June 23, 2022, 11:23pm

Oh:

github.com

alpinelinux/aports/blob/master/main/alpine-baselayout/crontab#L5


      
          # do daily/weekly/monthly maintenance
          # min	hour	day	month	weekday	command
          */15	*	*	*	*	run-parts /etc/periodic/15min
          0	*	*	*	*	run-parts /etc/periodic/hourly
          0	2	*	*	*	run-parts /etc/periodic/daily
          0	3	*	*	6	run-parts /etc/periodic/weekly
          0	5	1	*	*	run-parts /etc/periodic/monthly

mcpherrinm · June 25, 2022, 5:22am

We’ve identified a likely culprit: bitnami’s bncert-tool sets up a renewal cron at midnight and uses Lego-cli. That matches with many of the other clues we’ve seen. Thanks for the help!

Osiris · June 25, 2022, 8:16am

Hm, weird, in all Bitnami guides mentioning lego, it was never lego-cli. I guess the exact binary name didn't need to be lego-cli

Glad you've found the likely culprit!

mcpherrinm · June 25, 2022, 6:07pm

The binary is called lego, but it sets its user-agent to lego-cli: lego/setup.go at 88a2bab2d9a7502bc7cd9e983fcf42499c8c2906 · go-acme/lego · GitHub

Osiris · June 25, 2022, 9:21pm

Aha, then I made an erroneous assumption..

system · July 27, 2022, 6:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

mcpherrinm · August 18, 2022, 10:08pm

Topic		Replies	Views
Acme api server failure on server-hello Help	4	455	December 26, 2020
Basic shell script to generate certificates and crontabs Help	13	622	November 27, 2022
List of Client Implementations - Add client	10	4822	August 23, 2016
[Want feedback] Docker service for issuance with load balancer Help	0	1223	January 2, 2016
Server has wrong time/date Help	7	927	December 17, 2019

Brief overloads at midnight UTC (a request for help!)

Related topics