Certbot certificates takes ages

hi,

hope i’m in the right category.

if i use the command:
certbot certificates
i get the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: mail.mididoc.com
Domains: mail.mididoc.com
Expiry Date: 2019-06-30 18:43:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.mididoc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.mididoc.com/privkey.pem


between saving debug log and the expiry output it takes 4 minutes.

what am i doing wrong?
thanks for assistance

cheers mike

Can you post /var/log/letsencrypt/letsencrypt.log?

hi mnordhoff, thanks for answering.

i rotated the old log so you see just the current one after command certbot certificates:
log was created then at 18h27
cert information appeared at 18h32

could not upload the file, cause i was told i’m new,
so here is the content:

2019-04-02 18:27:48,871:DEBUG:certbot.main:certbot version: 0.28.0
2019-04-02 18:27:48,874:DEBUG:certbot.main:Arguments:
2019-04-02 18:27:48,876:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-04-02 18:27:48,906:DEBUG:certbot.log:Root logging level set at 20
2019-04-02 18:27:48,909:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-04-02 18:27:49,012:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/mail.mididoc.com/cert.pem
2019-04-02 18:27:49,013:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/mail.mididoc.com/chain.pem -cert /etc/letsencrypt/live/mail.mididoc.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/mail.mididoc.com/chain.pem -verify_other /etc/letsencrypt/live/mail.mididoc.com/chain.pem -trust_other -header Host=ocsp.int-x3.letsencrypt.org

hope this helps

cheers mike

It seems likely that the connection to http://ocsp.int-x3.letsencrypt.org/ is slow or failing.

(I don’t know if Certbot shows an error if it fails entirely?)

What does “curl -v http://ocsp.int-x3.letsencrypt.org/” show?

It gets logged in /var/log/letsencrypt but it doesn’t get displayed to the console unless you’re running with greater verbosity.

1 Like

input:
curl -v http://ocsp.int-x3.letsencrypt.org/

the output to the command is:
-bash: curl: command not found

cheers mike

i have posted the whole content of the log,
there was no error written in.

cheers mike

hi again,

i installed curl.
so i can post now the output for:
curl -v http://ocsp.int-x3.letsencrypt.org

output:

  • Trying 2a02:26f0:1c00::210:3d18…
  • TCP_NODELAY set
  • Trying 2.16.186.11…
  • TCP_NODELAY set
  • Connected to ocsp.int-x3.letsencrypt.org (2.16.186.11) port 80 (#0)

GET / HTTP/1.1
Host: ocsp.int-x3.letsencrypt.org
User-Agent: curl/7.52.1
Accept: /

< HTTP/1.1 200 OK
< Server: nginx
< Content-Length: 0
< Cache-Control: max-age=26172
< Expires: Thu, 04 Apr 2019 01:10:36 GMT
< Date: Wed, 03 Apr 2019 17:54:24 GMT
< Connection: keep-alive
<

hope this helps.

cheers mike

It seems it tries to use IPv6, this fails for some reason, and then it successfully uses IPv4.

Try:

curl -6v http://ocsp.int-x3.letsencrypt.org/

If it fails, what error does it show?

And:

curl -4v http://ocsp.int-x3.letsencrypt.org/

Is it fast?

There might be a routing problem affecting IPv6 connectivity between your computer and the OCSP CDN.

Or the computer might be misconfigured, if it thinks it has IPv6 connectivity, but it's not working.

On the other hand, last I looked, openssl ocsp didn't support IPv6 at all...

1 Like

hi mnordhoff,

thanks for your idea.
indeed it was a ipv6 issue.
my server is not configured to accept ipv6 for apache.
so ip6tables blocked port 80 ipv6.
i have opened this port for ipv6 and the problem is gone.

thanks lot.

BTW
does this also affect the certificate renew procedure?
is this also handled with ipv6?

if so, is this only handled on port 80?

thanks for more details, which ports on which ipformat must be open.

thanks in advance

cheers mike

When issuing certificates, Certbot makes outbound HTTPS connections to the CA's ACME API servers. For Let's Encrypt, that includes but is not limited to https://acme-v02.api.letsencrypt.org/, which uses port 443 and currently supports IPv6.

To validate your domain, when you're using HTTP-01 validation, the CA's validation servers make inbound connections to port 80 (and Let's Encrypt supports redirecting to port 443). Let's Encrypt's validation servers do support IPv6, and use whatever IP address(es) are in your DNS records.

2 Likes

thanks lot for the info.
so, if i open in firewall port 80 and 443 (both format ipv6) i’m ok, right?

cheers mike

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.