Certbot renew causing apache to respond very slowly

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: azvet.com

I ran this command: certbot renew --dry-run

It produced this output: normal output

My web server is (include version): Apache/2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: Rackspace

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.16.0

Whenever I run: certbot renew --dry-run my websites are loading very very slowly during the process. As soon as certbot completes, everything goes back to normal. Why is certbot slowing things down so much? I have 250+ certificates on this server, so I can't have this happening every time certbot tries to run renewals.

1 Like

Is the system running low on any resources?
Which type of certificates are being used?

1 Like

No the system is not running low on any resources during the process. How would I tell what type of certificates are being used? Letsencrypt R3 I believe

1 Like

Please show the upper part of top
something like this:

If you haven't made any changes to specifically request a type of cert, then the default cert type should be in use: RSA 2048 bit
[this can be "reduced" in size but we need to first better understand why the problem is happening]

1 Like

I'm running: certbot renew --dry-run

and here is output of top:

My server has 16 CPU cores.

I haven't made any changes to request a type of certificate, so I'm assuming it is the default. I haven't made any changes to certbot defaults.


I'm using apache as an authenticator ... I wonder if this is why apache server is responding so slow during the renewal process?

I recently updated removed certbot-auto and am now using certbot via snapd.

I used to update my certificates like this:

./certbot-auto renew --apache

and it ran PERFECTLY. No issues with sites timing out and taking 5-10 seconds to load during the renewal process.

Now if I run either:

certbot renew --apache

or just:

certbot renew

I have the issue. Sites are loading unbelievably slow while it is running.

1 Like

Well, if you have 250+ certificates and you're running certbot renew --dry-run, it'll renew 250+ certificates during that single run! And with every certificate, it'll reload (i.e., gracefully restart) Apache multiple times: one time to load the challenge, one time to unload the challenge and before version 1.16.0 (so not applicable for you) even reload a third time to "install" the new cert! (Which isn't applicable for dry-runs obviously..)

So that's 500 reloads (gracefull restarts) of Apache per single dry-run!

Question: why is this an issue for regular renewals? Usually certbot renew --dry-run is only used for debugging and testing purposes, not for your everyday renewals. And if you're debugging/testing, you could always choose a certificate to debug/test with certbot renew --dry-run --cert-name ${certificate_name}.

Regular renewals should just run certbot renew where certbot will leave every certificate alone not requiring a renewal and only reload Apache twice per actual renewal.

And also: yes, I think the Apache authenticator is probably the culprit here and perhaps moving to the webroot authenticator might speed things up. Although I'm not sure what you're actually trying to fix here.


Things to... think about:

  • do you really need Apache?
  • can you add more threads/cores to Apache?
  • can you use certbot with --webroot authentication?
  • can you combine your certs (to bring 250+ down to a much smaller number)?
  • can you try another ACME client?
1 Like

Or just don't run certbot renew --dry-run in this setup if it isn't necessary..


"Regular renewals should just run certbot renew where certbot will leave every certificate alone not requiring a renewal and only reload Apache twice per actual renewal "

So the auto renew for certbot only renews certificates that are near to expiring, correct?



1 Like

Correct, but adding --dry-run to the renew command will do a renewal test run for all certificates.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.