Certbot requires _lots_ of memory in Ubuntu 16.04

I’ve been using letsencrypt package in an Ubuntu 16.04 VPS server with 1GB RAM for several month without any significan issue until now. I can’t tell exactly the point when ‘letsencrypt’ old package started to fail, dying suddendly due to a low memory condition, but after looking for a solution here and this forum, I decided to upgrade to the new certbot package following the intructions given in certbot’s page: remove old letsencrypt package, add PPA and install the new certbot package. This had no effect, the problem remain the same: low memory.
The server has 1Gb and another 1Gb of swap, so I added an aditional space of swap, but it kept failing. Another aditional 2 Gb swap made the trick and finally certbot started to run… for a long long time.

Running ‘certbot renew -vvv --no-self-upgrade’ takes over 2 hours to renew 2 certs. As seen in the log, certbot takes over 2 hours just to start parsing apache:

    2017-06-04 20:07:05,220:DEBUG:certbot.log:Root logging level set at -10
    2017-06-04 20:07:05,221:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-06-04 20:07:05,239:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-06-10 11:23:00 UTC.
    2017-06-04 20:07:05,240:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
    2017-06-04 20:07:05,240:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
    2017-06-04 20:07:05,852:DEBUG:certbot_apache.configurator:Apache version is 2.4.18
    2017-06-04 22:11:38,247:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
    Description: Apache Web Server plugin - Beta
    Interfaces: IAuthenticator, IInstaller, IPlugin
    Entry point: apache = certbot_apache.configurator:ApacheConfigurator
    Prep: True
    2017-06-04 22:11:38,409:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache

So now it is running, but it seems to be very memory and computing demanding procedure, that don’t seems to be normal.
Sadly, there is an issue with one of the certs so I’m not already done with cartbots, and a 2 hour run doesn’t helps.
I’ve been looking for memory related issues, but all the related post are old, and no mention of long run issues.
I really need an advice or a clue to keep going, certs will due in a couple of days.


certbot should not take that much memory - it definitely has a problem.
uninstall/reinstall if needed.

side note: I personally don’t use swap files - if it doesn’t fit into memory… don’t run it or get more memory - lol
to disable swapfile use
swapoff -a;

Do you have any idea why it might take so long? Megabytes of intricate Apache configuration files? How efficiently does Apache work? How long does it take to start, for example?

Whatever the reason, you can switch to “certbot certonly --webroot” and manually configuring the certificates in order to bypass Certbot’s entire Apache configuration parsing machinery. If nothing else is malfunctioning absurdly, that should be efficient again.

Hi rg305,
Not running is not a solution. I need to renew the certs asap. Adding memory an patience did the trick.
Reinstalliing didnt change the situation, In fact, i installed certbot to replace letsecrypt previous package, that was running fine for several months until now.
The VPS has 1 Gb ram, usually it would be enough but not in this case. The swap was provided just for running certbot, then it was disabled.



swap files are less than useful for actively running programs - they do more harm than good (most of the times).

but I’m glad you got it going :slight_smile:

The problem is NOT the config or sth external, it is the certbot. It has been running for almost a year without any issue.
Apache and the whole system works fine, there is no problems. Apache config is reallly simple, just 100 lines counting extensive comments.There is no doubt about it is the certbot what takes so long and eates so much memory. It looks like the new certbot uses a python package that is responsible of downloading and compiling a large addon in the background, that previous versions used it in compiled form.
May be someone got to solve the same problem, so that was why i asked here.

@bmw, this is the thread I mentioned about Certbot using extremely large amounts of RAM. Would you like to look into it?

@carlos-mora: How many certificates do you have? You can find out by running:

sudo find /etc/letsencrypt/archive/ -name cert*.pem

Also if you tell us your domain name, we can check the certificate transparency logs for issuance information.

Hi jsha
I have 2 certificates working fine for odontoweb.fourtech.es and gestion.fourtech.es.
I put a piece of the log in the first post of the thread from a successful run, only that it took over 2 hours to run, but finally it did it.
Please note that the longest record in the log was

2017-06-04 20:07:05,852:DEBUG:certbot_apache.configurator:Apache version is 2.4.18
2017-06-04 22:11:38,247:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
        Description: Apache Web Server plugin - Beta

After going throw this step, things go normally, besides the almost 4 Gb of memory required to run, as seen in the first post image.

Hope it helps.

This is only really useful if @bmw is interested in the results, but if certbot grows very large and it’s unclear why it may be worth examining it (while running) with my leakdice program.

This program shows what is in a random block of the heap of another process, if it has grown enormously then random blocks will most likely contain whatever is using up that space. If it’s text you can read it, otherwise it will need additional insight to understand what’s in the block.

1 Like

It looks like there are a normal number of renewals for those two names: https://crt.sh/?q=odontoweb.fourtech.es https://crt.sh/?q=gestion.fourtech.es, so this probably isn’t an issue with excessive renewals. Still, could you please run this command for me and post the output?

sudo find /etc/letsencrypt/archive/ -name cert*.pem | wc -l

Hi jsha,

root@Develop1:~# sudo find /etc/letsencrypt/archive/ -name cert*.pem
root@Develop1:~# sudo find /etc/letsencrypt/archive/ -name cert*.pem | wc -l

Another possibility: Even though your Apache config is small and was parsed easily by earlier versions of the configurator, it’s possible that the current Certbot has specific problems with it. Would you mind posting your Apache config, along with any files referenced by Include directives?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.