Client takes almost one hour to create certificate


#1

Hi guys,

Over the last month letsencrypt client takes almost one hour to create a new certificate (I think I have the same behavior for renewal).

I run this command on my server : ./letsencypt-auto certonly --agree-tos --standalone -d summer-beach-party.fr
With the debug flag I noticed that time is spent at these points : “Starting new HTTPS conenction”.
My server is hosted at online.net. It is configured to run over ipv4 and ipv6.

If you need more information I can provide them.

Thanks


#2

Here is my letsencrypt.log : https://gist.github.com/kevinleturc/9ae66295a364350f9c11


#3

I’ve seen similar behaviour in the past (not specifically with letsencrypt) with servers that had IPv6 configured but not properly working, i.e. traffic being blocked by a firewall, etc. Maybe the client waits for a timeout and then falls back to IPv4. Can you confirm that something like

wget -6 https://google.com/

is working?


#4

Hi,

Indeed I can’t establish a connection with google.com over IPv6. I though it worked cause I can ping my server over IPv6 from extern.

I just run again the client, and it’s really fast now. Thanks a lot for your help.

@jsha, is it possible to add a WARN message to prevent this kind of issues ?

Again, thanks a lot guys.


#5

Possibly! I’d suggest filing an issue at https://github.com/letsencrypt/letsencrypt/. It probably doesn’t make sense to try and specifically detect IPv6 issues in the client, but there should probably be a timeout when making connections to the ACME server. The error message for those timeouts could suggest something like “please check the connectivity from your server to the outside Internet.”