Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version): Ubuntu 18.04 LTS
My hosting provider, if applicable, is: Rackspace
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.16.0
Whenever I run: certbot renew --dry-run my websites are loading very very slowly during the process. As soon as certbot completes, everything goes back to normal. Why is certbot slowing things down so much? I have 250+ certificates on this server, so I can't have this happening every time certbot tries to run renewals.
No the system is not running low on any resources during the process. How would I tell what type of certificates are being used? Letsencrypt R3 I believe
Please show the upper part of top
something like this:
If you haven't made any changes to specifically request a type of cert, then the default cert type should be in use: RSA 2048 bit
[this can be "reduced" in size but we need to first better understand why the problem is happening]
Well, if you have 250+ certificates and you're running certbot renew --dry-run, it'll renew 250+ certificates during that single run! And with every certificate, it'll reload (i.e., gracefully restart) Apache multiple times: one time to load the challenge, one time to unload the challenge and before version 1.16.0 (so not applicable for you) even reload a third time to "install" the new cert! (Which isn't applicable for dry-runs obviously..)
So that's 500 reloads (gracefull restarts) of Apache per single dry-run!
Question: why is this an issue for regular renewals? Usually certbot renew --dry-run is only used for debugging and testing purposes, not for your everyday renewals. And if you're debugging/testing, you could always choose a certificate to debug/test with certbot renew --dry-run --cert-name ${certificate_name}.
Regular renewals should just run certbot renew where certbot will leave every certificate alone not requiring a renewal and only reload Apache twice per actual renewal.
And also: yes, I think the Apache authenticator is probably the culprit here and perhaps moving to the webroot authenticator might speed things up. Although I'm not sure what you're actually trying to fix here.
"Regular renewals should just run certbot renew where certbot will leave every certificate alone not requiring a renewal and only reload Apache twice per actual renewal "
So the auto renew for certbot only renews certificates that are near to expiring, correct?
