Certbot certificates takes ages

mike1950r · April 2, 2019, 3:49pm

hi,

hope i’m in the right category.

if i use the command:
certbot certificates
i get the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: mail.mididoc.com
Domains: mail.mididoc.com
Expiry Date: 2019-06-30 18:43:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.mididoc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.mididoc.com/privkey.pem

between saving debug log and the expiry output it takes 4 minutes.

what am i doing wrong?
thanks for assistance

cheers mike

mnordhoff · April 2, 2019, 4:01pm

Can you post /var/log/letsencrypt/letsencrypt.log?

mike1950r · April 2, 2019, 4:35pm

hi mnordhoff, thanks for answering.

i rotated the old log so you see just the current one after command certbot certificates:
log was created then at 18h27
cert information appeared at 18h32

could not upload the file, cause i was told i’m new,
so here is the content:

2019-04-02 18:27:48,871:DEBUG:certbot.main:certbot version: 0.28.0
2019-04-02 18:27:48,874:DEBUG:certbot.main:Arguments:
2019-04-02 18:27:48,876:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-04-02 18:27:48,906:DEBUG:certbot.log:Root logging level set at 20
2019-04-02 18:27:48,909:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-04-02 18:27:49,012:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/mail.mididoc.com/cert.pem
2019-04-02 18:27:49,013:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/mail.mididoc.com/chain.pem -cert /etc/letsencrypt/live/mail.mididoc.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/mail.mididoc.com/chain.pem -verify_other /etc/letsencrypt/live/mail.mididoc.com/chain.pem -trust_other -header Host=ocsp.int-x3.letsencrypt.org

hope this helps

cheers mike

mnordhoff · April 2, 2019, 4:39pm

It seems likely that the connection to http://ocsp.int-x3.letsencrypt.org/ is slow or failing.

(I don’t know if Certbot shows an error if it fails entirely?)

What does “curl -v http://ocsp.int-x3.letsencrypt.org/” show?

schoen · April 2, 2019, 4:44pm

It gets logged in /var/log/letsencrypt but it doesn't get displayed to the console unless you're running with greater verbosity.

mike1950r · April 2, 2019, 5:13pm

input:
“ curl -v http://ocsp.int-x3.letsencrypt.org/ ”

the output to the command is:
-bash: curl: command not found

cheers mike

mike1950r · April 2, 2019, 5:15pm

i have posted the whole content of the log,
there was no error written in.

cheers mike

mike1950r · April 3, 2019, 5:57pm

hi again,

i installed curl.
so i can post now the output for:
curl -v http://ocsp.int-x3.letsencrypt.org

output:

Trying 2a02:26f0:1c00::210:3d18...
TCP_NODELAY set
Trying 2.16.186.11...
TCP_NODELAY set
Connected to ocsp.int-x3.letsencrypt.org (2.16.186.11) port 80 (#0)

GET / HTTP/1.1
Host: ocsp.int-x3.letsencrypt.org
User-Agent: curl/7.52.1
Accept: /

< HTTP/1.1 200 OK
< Server: nginx
< Content-Length: 0
< Cache-Control: max-age=26172
< Expires: Thu, 04 Apr 2019 01:10:36 GMT
< Date: Wed, 03 Apr 2019 17:54:24 GMT
< Connection: keep-alive
<

Curl_http_done: called premature == 0
Connection #0 to host ocsp.int-x3.letsencrypt.org left intact

hope this helps.

cheers mike

mnordhoff · April 3, 2019, 6:10pm

It seems it tries to use IPv6, this fails for some reason, and then it successfully uses IPv4.

Try:

curl -6v http://ocsp.int-x3.letsencrypt.org/

If it fails, what error does it show?

And:

curl -4v http://ocsp.int-x3.letsencrypt.org/

Is it fast?

There might be a routing problem affecting IPv6 connectivity between your computer and the OCSP CDN.

Or the computer might be misconfigured, if it thinks it has IPv6 connectivity, but it's not working.

On the other hand, last I looked, openssl ocsp didn't support IPv6 at all...

mike1950r · April 3, 2019, 10:07pm

hi mnordhoff,

thanks for your idea.
indeed it was a ipv6 issue.
my server is not configured to accept ipv6 for apache.
so ip6tables blocked port 80 ipv6.
i have opened this port for ipv6 and the problem is gone.

thanks lot.

BTW
does this also affect the certificate renew procedure?
is this also handled with ipv6?

if so, is this only handled on port 80?

thanks for more details, which ports on which ipformat must be open.

thanks in advance

cheers mike

mnordhoff · April 3, 2019, 10:22pm

When issuing certificates, Certbot makes outbound HTTPS connections to the CA's ACME API servers. For Let's Encrypt, that includes but is not limited to https://acme-v02.api.letsencrypt.org/, which uses port 443 and currently supports IPv6.

To validate your domain, when you're using HTTP-01 validation, the CA's validation servers make inbound connections to port 80 (and Let's Encrypt supports redirecting to port 443). Let's Encrypt's validation servers do support IPv6, and use whatever IP address(es) are in your DNS records.

mike1950r · April 3, 2019, 10:58pm

thanks lot for the info.
so, if i open in firewall port 80 and 443 (both format ipv6) i’m ok, right?

cheers mike

system · May 3, 2019, 10:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot: "Certificates" command shows different expiry dates than OpenSSL Help	11	4930	May 26, 2018
~4 Minute delay while issuing certificates Server	6	2677	May 4, 2019
Reducing the auto-renewal interval Help	7	135	December 19, 2024
Certificate Installed & Valid & Working. But certbot certificates shows the expired cert Help	12	1681	November 12, 2021
Performance issues when creating/renewing certificates Help	12	2596	February 27, 2017

Certbot certificates takes ages

Related topics