Does the number of domains hosted affect the performance of Certbot

Help
1

Our app lets users use their own domain. However, we still set up virtual hosts and install SSL certificates manually.

Right now we serve about 600 domains. We plan to double that in the next 6 months.

Over time running Certbot has become increasingly slow. I can spend up to 30 minutes waiting for the debug log to be saved.

Apparently auto-renewal is taking a lot of time also.

When I try to manually install or renew a certificate, I constantly get the “Another instance of Certbot is already running.” message. After running grep I got 5 o 6 Certbot instances running at the same time.

Killing those instances makes some certificates not to be renewed. Wich I later need to renew manually.

We are using Apache 2.4.7, Ubuntu 14.04 on a 4 vCPUs server with 8 GB Ram. Certbot version 0.39.0

Does the number of domains hosted affect the performance of Certbot? Will it get slower as we add more domains?

Do you think upgrading to a newer version of Ubuntu will help?

Can we use a different machine to generate ore renew certificates?

Is there any service we can use to delegate certificates generation and installation?

All ideas are welcome.

My domain is: mitienda.pe

I ran this command: certbot-auto

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

My web server is (include version): Apache 2.4.7

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.39.0

1 Like
2

Hi @carlosvidal

there were older topics with the same problem.

Main result: --apache or --nginx is slow, --webroot doesn't parse the confg files, is much better.

So, if possible, switch to the webroot authenticator.

PS: I don't understand that:

Why there are multiple Certbot instances?

2 Likes
3

Hi Jurgen, thanks for your quick response.

I guess it is because we are running so many domains, and provably several needs to be renewed the same day via a cron job. And because it takes so much time to renew, when I try to do it manually, there are other instances already running.

Not sure if ti makes sense.

1 Like
4

That sounds buggy.

Do you have one installed Certbot?

Is there only one cron job? Or are there multiple cron jobs? -> That’s bad.

So multiple instances running parallel should never happen.

Certbot checks all certificates if a renew is required. But that must crash if you have multiple cron jobs.

1 Like
5

I think there could be more than one. In the past when I run into trouble I have try reinstalling certbot.

When I try to locate certbot-auto, I get

/root/certbot-auto.1
/root/certbot-auto.2
/usr/local/bin/certbot-auto

In my crontab I have

#0 4 * * * /root/certbot-auto renew --quiet --no-self-upgrade
0 4 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade

Notice that the first line is commented, so maybe it refers to a previous installation.

1 Like
6

Are some of those domains using --nginx or --apache for their renewals?

You can check quickly with a command like

sudo grep -r authenticator /etc/letsencrypt/renewal

1 Like
7

Only Apache and webroot.

/etc/letsencrypt/renewal/conectagro.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.beautypopperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/hg-peru.com.conf:authenticator = apache
/etc/letsencrypt/renewal/doing.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/elionetperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/detalleseternos.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mitiendami.com.conf:authenticator = apache
/etc/letsencrypt/renewal/lowcostperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/casbic.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.anagramajoyas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/auramarina.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.capulisilver.com.conf:authenticator = apache
/etc/letsencrypt/renewal/llullupuma.com.conf:authenticator = webroot
/etc/letsencrypt/renewal/www.imintec.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.paradanatural.pe.conf:authenticator = webroot
/etc/letsencrypt/renewal/tienda.mejoratured.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/winistore.com.conf:authenticator = apache
/etc/letsencrypt/renewal/originariosollantaytambo.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.lionluxury.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/llabook.life.conf:authenticator = apache
/etc/letsencrypt/renewal/calliajoyas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/blinkaccesorios.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.alomascotas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.viachocolatperu.com.conf:authenticator = webroot
/etc/letsencrypt/renewal/tienda.lospatricios.net.conf:authenticator = apache
/etc/letsencrypt/renewal/illarysmarket.com.conf:authenticator = apache
/etc/letsencrypt/renewal/thermotekstore.com.conf:authenticator = apache
/etc/letsencrypt/renewal/elpisoescondido.com.conf:authenticator = apache
/etc/letsencrypt/renewal/divinuxtiendaonline.com.conf:authenticator = apache
/etc/letsencrypt/renewal/dev3.mitienda.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tallerayllus.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/naturalianutricion.com.conf:authenticator = apache
/etc/letsencrypt/renewal/wargosac.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.minipcperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/rematexperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/titomedina.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tiendaint.librosesenios.org.conf:authenticator = apache
/etc/letsencrypt/renewal/biodeliorganico.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/constanzajoyas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/creascrapymas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/hongosdelbosque.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/talladosciprian.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/anirakjoyas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.2good.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/zonaoutletperu.com.conf:authenticator = webroot
/etc/letsencrypt/renewal/limaqsouvenir.com.conf:authenticator = apache
/etc/letsencrypt/renewal/ultimatesports.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/paolasizajoyas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/rosleperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/flowershoperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/alfredoskielectronics.com.conf:authenticator = apache
/etc/letsencrypt/renewal/pintoresshipibos.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.cheesesocks.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mundoalterno.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/zammbra.com.conf:authenticator = apache
/etc/letsencrypt/renewal/parrot.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/productosdambo.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.floreriajavierprado.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/maria.com.pe.conf:authenticator = webroot
/etc/letsencrypt/renewal/latiendademabel.com.conf:authenticator = apache
/etc/letsencrypt/renewal/homegallerie.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/owex.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/womanmakeup.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/cronopioshop.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.impexcaminoalfuturo.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/ladespensadesofia.com.conf:authenticator = apache
/etc/letsencrypt/renewal/gbbikes.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/anyluboutique.com.conf:authenticator = webroot
/etc/letsencrypt/renewal/estanter.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.cuneo.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tiendajoyeriakilarys.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mitiendavirtual.ec.conf:authenticator = apache
/etc/letsencrypt/renewal/jeribu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/vintagebaby.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/geraldvaldez.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/goldlionuniformes.com.conf:authenticator = apache
/etc/letsencrypt/renewal/artesaniasricchari.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mamiclub.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tallerovejanegra.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mrteddyperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/warawajoyas.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/aquashoes.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/static.mitienda.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.hidroponika.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.inkanapolis.com.conf:authenticator = apache
/etc/letsencrypt/renewal/cadefor.com.conf:authenticator = apache
/etc/letsencrypt/renewal/logisticavende.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.labirreria.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.royalinfant.com.conf:authenticator = apache
/etc/letsencrypt/renewal/motoshop.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/curbasvc.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.regalame.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.importacionesbertello.com.conf:authenticator = apache
/etc/letsencrypt/renewal/arandaperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/ikasa.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/marketofperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tiendasvirtuales.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/babybemma.com.conf:authenticator = apache
/etc/letsencrypt/renewal/vanessaonlinestore.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tiendavirtual.enerquimica.com.conf:authenticator = pache
/etc/letsencrypt/renewal/tienda.fullimpacto.com.pe.conf:authenticator = apace
/etc/letsencrypt/renewal/www.laisladelmono.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/bombicis.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/silvestra.pe.conf:authenticator = webroot
/etc/letsencrypt/renewal/cosybyhand.com.conf:authenticator = apache
/etc/letsencrypt/renewal/juisejewelry.com.conf:authenticator = apache
/etc/letsencrypt/renewal/lajaboneria.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/floresdelalba.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tiendaculinaria.com.conf:authenticator = apache
/etc/letsencrypt/renewal/picabooplaza.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/vestidosgorditashop.com.conf:authenticator = apache
/etc/letsencrypt/renewal/fayti.com.conf:authenticator = apache
/etc/letsencrypt/renewal/macrostoreperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/xrizsteel.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/killanqa.com.conf:authenticator = apache
/etc/letsencrypt/renewal/easystoreperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/kopuk.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.vetsandiego.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/artesurchincha.ruraqmaki.pe-0001.conf:authenticator = apache
/etc/letsencrypt/renewal/overdoseperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/vemperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.perfection.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/myremate.com.conf:authenticator = apache
/etc/letsencrypt/renewal/igoo.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/mialienstore.com.conf:authenticator = apache
/etc/letsencrypt/renewal/fare.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.britcomer.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tequecrunchdelivery.com.conf:authenticator = apache
/etc/letsencrypt/renewal/famideas.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/abracitosboutique.com.conf:authenticator = apache
/etc/letsencrypt/renewal/lapericajoyas.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/artesurchincha.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/pekespremium.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tulumpisoutache.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.todomodatiendas.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/cheesesocks.com.conf:authenticator = apache
/etc/letsencrypt/renewal/inflomar.com.conf:authenticator = apache
/etc/letsencrypt/renewal/scrapyart.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.biteldelivery.com.conf:authenticator = apache
/etc/letsencrypt/renewal/abumy.com.conf:authenticator = apache
/etc/letsencrypt/renewal/lastenia.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/eatify.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/flawless.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/pelitos.club.conf:authenticator = apache
/etc/letsencrypt/renewal/scrapyart.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.econotiendaperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/idiamondsperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/aladinsupermarkets.com.conf:authenticator = apache
/etc/letsencrypt/renewal/booforkids.com.conf:authenticator = apache
/etc/letsencrypt/renewal/compiweb.com.conf:authenticator = apache
/etc/letsencrypt/renewal/bambuydetalles.com.conf:authenticator = apache
/etc/letsencrypt/renewal/be-family.tienda.conf:authenticator = apache
/etc/letsencrypt/renewal/perfection.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/pedroyjaviergonzalespaucar.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/takanostore.com.conf:authenticator = apache
/etc/letsencrypt/renewal/scrapbookingperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/puffperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/marabiomarket.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.vintagebaby.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.ziyaz.com.conf:authenticator = apache
/etc/letsencrypt/renewal/lagirlperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/fhalcongaming.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.alfredoskielectronics.com.conf:authenticator = apache
/etc/letsencrypt/renewal/herminiavargas.com.conf:authenticator = webroot
/etc/letsencrypt/renewal/smartforve.com.conf:authenticator = apache
/etc/letsencrypt/renewal/elviapaucar.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/conejomagico.com.conf:authenticator = apache
/etc/letsencrypt/renewal/ultraswearperu.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/mistoreweb.com.conf:authenticator = apache
/etc/letsencrypt/renewal/baboo-online.com.conf:authenticator = apache
/etc/letsencrypt/renewal/florence.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/metamorfosisart.com.conf:authenticator = apache
/etc/letsencrypt/renewal/corporaciongamis.com.conf:authenticator = apache
/etc/letsencrypt/renewal/entrepiedrasperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.lapromo.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/baurbanstyle.com.conf:authenticator = apache
/etc/letsencrypt/renewal/kresspi.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.kopemotors.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/perukontiki.com.conf:authenticator = webroot
/etc/letsencrypt/renewal/www.floreriajavierprado.com.pe-0001.conf:authenticator = apache
/etc/letsencrypt/renewal/dvanessajoyeria.com.conf:authenticator = apache
/etc/letsencrypt/renewal/detodoenperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mariahuallaga.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mediclifeperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.labotica.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.realmercantil.com.conf:authenticator = apache
/etc/letsencrypt/renewal/yaw.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/ravynsa.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.vilmaparra.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/mair.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/productosorganicos.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/grupohinodeonline.com.conf:authenticator = webroot
/etc/letsencrypt/renewal/cosmeticanatural.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/floreriajavierprado.com.conf:authenticator = apache
/etc/letsencrypt/renewal/agrimarket.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/comprotecnologia.com.conf:authenticator = apache
/etc/letsencrypt/renewal/talabarteriagaribay.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/cottonsnails.com.conf:authenticator = apache
/etc/letsencrypt/renewal/delivery.lannaclean.com.conf:authenticator = apache
/etc/letsencrypt/renewal/thecatsroom.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.jumpinglomo.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/clarodelivery.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.massimo.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.tienda.librosesenios.org.conf:authenticator = apache
/etc/letsencrypt/renewal/duskullstreet.com.conf:authenticator = apache
/etc/letsencrypt/renewal/josmarscrap.com.conf:authenticator = apache
/etc/letsencrypt/renewal/britcomer.com.conf:authenticator = apache
/etc/letsencrypt/renewal/duskperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/petit-pe.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.joyasyaccesoriosperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/planetacreativo.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/33tienda.com.conf:authenticator = apache
/etc/letsencrypt/renewal/alcanciasdeceramica.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.littlebru.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.specialflowersperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/impaktta.com.conf:authenticator = apache
/etc/letsencrypt/renewal/benditaplanta.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/oportunidadesolidarias.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/nihijoyas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/store.soportelinux.com.pe.conf:authenticator = webroot
/etc/letsencrypt/renewal/artetawa.com.conf:authenticator = apache
/etc/letsencrypt/renewal/meduniforms.club.conf:authenticator = apache
/etc/letsencrypt/renewal/dolcemaniastore.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.maquillajevents.com.conf:authenticator = apache
/etc/letsencrypt/renewal/yaaasparty.com.conf:authenticator = apache
/etc/letsencrypt/renewal/ceramicastatervera.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/juegoarte.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/lacachina.online.conf:authenticator = apache
/etc/letsencrypt/renewal/minegocio.pe-0001.conf:authenticator = apache
/etc/letsencrypt/renewal/www.detallesaylen.com.conf:authenticator = apache
/etc/letsencrypt/renewal/villacravatta.com.conf:authenticator = apache
/etc/letsencrypt/renewal/microperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/pachaorganica.com.conf:authenticator = apache
/etc/letsencrypt/renewal/pajatoquilla.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/vidasaludableyactiva.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.arti.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/santamailbag.net.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.jarilu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/incubadoraprovida.com.conf:authenticator = apache
/etc/letsencrypt/renewal/printclubperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/store.ifurniture.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.sanmiguelinversiones.com.conf:authenticator = apache
/etc/letsencrypt/renewal/herethebestitems.com.conf:authenticator = apache
/etc/letsencrypt/renewal/kurrukukubebe.com.conf:authenticator = apache
/etc/letsencrypt/renewal/prismaled.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/store.arredondoingenieros.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.joyasyaccesoriosperu.com-0001.conf:authenticator = apache
/etc/letsencrypt/renewal/caselovers.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/marketcapon.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/dimpal.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/arteandinojoyeria.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/pachacutechuaman.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/vonwest-underwear.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mujereslideres.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/kariusachimbote.pe.conf:authenticator = webroot
/etc/letsencrypt/renewal/thepibox.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/yapit.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/alefperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.dudumagafasperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/kingdombless.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/killerstyle.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.tubossurfschool.net.conf:authenticator = apache
/etc/letsencrypt/renewal/onlitronic.com.conf:authenticator = apache
/etc/letsencrypt/renewal/buddhamarble.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tumercadoperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.zonaoutletperu.com.conf:authenticator = webroot
/etc/letsencrypt/renewal/wawapekitas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/vinoyroble.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mimall.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/limaclip.pe.conf:authenticator = webroot
/etc/letsencrypt/renewal/flordelotto.com.conf:authenticator = apache
/etc/letsencrypt/renewal/adexvende.com.conf:authenticator = apache
/etc/letsencrypt/renewal/digitalhome.com.ec.conf:authenticator = apach
/etc/letsencrypt/renewal/zacayperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.tubossurfschool.com.conf:authenticator = apache
/etc/letsencrypt/renewal/thepopulardesign.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/forumeducacion.com.conf:authenticator = apache
/etc/letsencrypt/renewal/kianecologic.com.conf:authenticator = apache
/etc/letsencrypt/renewal/entresillas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/nutrioutlet.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/cyber.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/18y5.org.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/gmsso.com.conf:authenticator = apache
/etc/letsencrypt/renewal/ventadeups.com.conf:authenticator = apache
/etc/letsencrypt/renewal/store.anrigold.com.conf:authenticator = apache
/etc/letsencrypt/renewal/waysted.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/www.paulscollection.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/hiddenparadisefloristeria.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tiendavirtual.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/exquisitoysaludable.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/kbimportaciones.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/novedadesomar.com.conf:authenticator = apache
/etc/letsencrypt/renewal/www.almacenesmak.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/zasaccesorios.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tefriodiet.com.conf:authenticator = apache
/etc/letsencrypt/renewal/store.voltaika.net.conf:authenticator = apache
/etc/letsencrypt/renewal/relojesenperu.com.conf:authenticator = webroot
/etc/letsencrypt/renewal/marasfloristeria.org.conf:authenticator = apache
/etc/letsencrypt/renewal/clubthebeautylovers.com.conf:authenticator = apache
/etc/letsencrypt/renewal/chicandcutejoyas.com.conf:authenticator = apache
/etc/letsencrypt/renewal/mashka.store.conf:authenticator = apache
/etc/letsencrypt/renewal/productoslike.com.conf:authenticator = apache
/etc/letsencrypt/renewal/vamosdshopping.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/edugamesperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/arconte.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/regena.store.conf:authenticator = apache
/etc/letsencrypt/renewal/inkahope.com.conf:authenticator = apache
/etc/letsencrypt/renewal/pitumarca.ruraqmaki.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/tawarts.com.conf:authenticator = apache
/etc/letsencrypt/renewal/buddhaonyx.com.conf:authenticator = apache
/etc/letsencrypt/renewal/farmapielperu.com.conf:authenticator = apache
/etc/letsencrypt/renewal/tienda.casasyestilos.com.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/numbra.pe.conf:authenticator = apache
/etc/letsencrypt/renewal/eatify.com.pe.conf:authenticator = apache

1 Like
8

Cool, so the problem mentioned by @JuergenAuer is that Certbot may parse your entire sitewide Apache configuration every time it needs to renew any of these certificates. (It does not only parse the portion related to that certificate, but parses everything.) As your Apache configuration is probably now very large, this can take a lot of time. This is a way in which Certbot’s performance doesn’t scale very well—it would be better if Certbot could parse the Apache configuration at most once per run.

If you’re able to switch these over to using webroot instead of apache for the authenticator, that could improve the renewal performance, as @JuergenAuer described. (You would have to specify, in each case, where a webroot directory is that Certbot could use for creating Let’s Encrypt challenge files for each individual domain.)

2 Likes
9

Hi Shoen, thanks for answering.

This is a white-label app. All domains use the same directory. Would this be a problem?

Can we switch to --webroot just by changing the cron directive?

For example:

0 4 * * * /usr/local/bin/certbot-auto --webroot /var/www/myapp renew --quiet --no-self-upgrade

Can you please help me a little more on how to do the switch?

May be running this for every domain?

sudo /usr/local/bin/certbot-auto --webroot -i apache -w /var/www/myapp -d mydomain.com

1 Like
10

I think that would work. You may want -a webroot -i apache instead of --webroot -i apache in order to be more explicit.

The advantage of this over trying to manually edit /etc/letsencrypt/renewal files is that you can see whether or not each one worked (and only the ones that work will be changed).

2 Likes
11

There are two different problems.

  • Switch to webroot, that has a better performance.
  • Second problem: Why there are multiple Certbots running?

Do you have additional systemd - definition?

https://certbot.eff.org/docs/using.html#automated-renewals

If you are not sure whether or not your system has this already automated, refer to your distribution’s documentation, or check your system’s crontab (typically in /etc/crontab/ and /etc/cron.*/* and systemd timers ( systemctl list-timers ).

And later:

Lock files:

When processing a validation Certbot writes a number of lock files on your system to prevent multiple instances from overwriting each other’s changes. This means that by default two instances of Certbot will not be able to run in parallel.

So if you see multiple instances, sounds like a bug.

1 Like
12

I found /etc/cron.d/certbot containing this

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew

Does this mean I don’t need my own crontab settings?

Right now I have multiple instances running.

root      7481  7480  0 04:00 ?        00:00:00 /bin/sh -c /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade
root      7482  7481  0 04:00 ?        00:00:00 /bin/sh /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade
root      7495  7482  0 04:00 ?        00:00:00 /bin/sh /usr/local/bin/certbot-auto --cb-auto-has-root --le-auto-phase2 renew --quiet --no-self-upgrade
root      7511  7495 98 04:00 ?        03:42:09 /opt/eff.org/certbot/venv/bin/python /opt/eff.org/certbot/venv/bin/letsencrypt renew --quiet --no-self-upgrade
root     12011 11460  0 07:46 pts/1    00:00:00 grep --color=auto certb
1 Like
13

There

you see a lot of problems. Three from /usr/local/bin with 2 different command lines, one from /opt/eff.org.

Only one instance should run.

1 Like
14

14.04?

Are you getting Extended Security Maintenance from Ubuntu? Does it include updates to Certbot?

I believe certbot-auto dropped official support for 14.04 after Ubuntu's standard support for it ended. It might still work for now, but I don't think it's guaranteed to keep working.

Well, that looks like it was installed by a certbot deb package, and it's probably executing /usr/bin/certbot instead of your certbot-auto installation.

And a newer version would probably change 3600 to 43200 so that it runs at more random times of the day.

What version of Certbot is /usr/bin/certbot?

That's actually just one instance of Certbot. Its certbot-auto's startup process is complicated, so there is more than one process, but it's really only running once. Certbot itself is the Python process chomping alarming amounts of CPU.

3 Likes
15

Unless certbot is taking more than 24 hours to complete and thus starts a new session the following day that overlaps with the current one (and may slow it down too).
[over and over, day over day, …]

I don't see why you should have to try to manually renew a cert - certbot has 30 days to complete that duty.

How is the system on resources - memory, disk. swap file ?
How large is the LE log file?

1 Like
16

They seem very different...
You should check cron jobs for all users (not just root user).

1 Like
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.