Generating certs using dns-linode plugin is extremely slow

It seems to be working, but each time it initiates a new https connection to api.linode.com certbot will hang for 393 seconds prior to the next log entry.

To see if the issue may be in the linode side, I hit api.linode.com with curl to retrieve the domain list (curl -H "Authorization: Bearer $TOKEN" https://api.linode.com/v4/domains) and received an immediate response. So the fault does not seem to be with the linode servers.

My domain is:
notthisone.net seanmb.com

I ran this command:
certbot certonly --dns-linode
--dns-linode-credentials ~/.secrets/certbot/linode.ini
--dns-linode-propagation-seconds 120
-d notthisone.net -d "*.notthisone.net"
-d seanmb.com -d "*.seanmb.com"

It produced this output:
So far (over and hour and has not completed)
From command line:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for notthisone.net and 3 more domains
Contents of /var/log/letsencrypt/letsencrypt.log
root@main:/etc/nginx/conf.d# tail -f /var/log/letsencrypt/letsencrypt.log
]
}
2022-11-28 05:31:33,707:DEBUG:acme.client:Storing nonce: 891Fq2BnDrDjgF8D-pxkRQJl2bHnzWOPPS_k5UVcgEFaHdk
2022-11-28 05:31:33,707:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-11-28 05:31:33,707:INFO:certbot._internal.auth_handler:dns-01 challenge for notthisone.net
2022-11-28 05:31:33,707:INFO:certbot._internal.auth_handler:dns-01 challenge for seanmb.com
2022-11-28 05:31:33,708:INFO:certbot._internal.auth_handler:dns-01 challenge for notthisone.net
2022-11-28 05:31:33,708:INFO:certbot._internal.auth_handler:dns-01 challenge for seanmb.com
2022-11-28 05:31:33,708:WARNING:certbot.plugins.dns_common:Unsafe permissions on credentials configuration file: /root/.secrets/certbot/linode.ini
2022-11-28 05:31:33,711:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 05:38:06,028:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "GET /v4/domains HTTP/1.1" 200 408
2022-11-28 05:38:06,031:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 05:44:39,242:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "GET /v4/domains/10793/records HTTP/1.1" 200 1012
2022-11-28 05:44:39,243:DEBUG:lexicon.providers.linode4:list_records:
2022-11-28 05:44:39,244:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 05:51:12,514:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "POST /v4/domains/10793/records HTTP/1.1" 200 284
2022-11-28 05:51:12,523:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 05:57:45,674:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "GET /v4/domains HTTP/1.1" 200 392
2022-11-28 05:57:45,676:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 06:04:18,887:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "GET /v4/domains/744840/records HTTP/1.1" 200 1016
2022-11-28 06:04:18,889:DEBUG:lexicon.providers.linode4:list_records:
2022-11-28 06:04:18,891:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 06:10:52,152:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "POST /v4/domains/744840/records HTTP/1.1" 200 284
2022-11-28 06:10:52,155:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 06:17:25,324:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "GET /v4/domains HTTP/1.1" 200 408
2022-11-28 06:17:25,326:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 06:23:58,532:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "GET /v4/domains/10793/records HTTP/1.1" 200 None
2022-11-28 06:23:58,534:DEBUG:lexicon.providers.linode4:list_records:
2022-11-28 06:23:58,535:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 06:30:31,822:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "POST /v4/domains/10793/records HTTP/1.1" 200 284
2022-11-28 06:30:31,828:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 06:37:04,974:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "GET /v4/domains HTTP/1.1" 200 392
2022-11-28 06:37:04,977:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443
2022-11-28 06:43:38,180:DEBUG:urllib3.connectionpool:https://api.linode.com:443 "GET /v4/domains/744840/records HTTP/1.1" 200 None
2022-11-28 06:43:38,181:DEBUG:lexicon.providers.linode4:list_records:
2022-11-28 06:43:38,182:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.linode.com:443

My web server is (include version):
nginx version: nginx/1.14.2
built with OpenSSL 1.1.1n 15 Mar 2022

The operating system my web server runs on is (include version):
Debian 10

My hosting provider, if applicable, is:
linode (VPS)

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.32.0
Pluging certbot-dns-linode 2.1.0

Hi @seanmb0, and welcome to the LE community forum

How was that installed?

I think this is likely to be some networking quirk (DNS, IPv6, etc) on the machine that is interacting poorly with the absence of timeouts in the Lexicon library.

If you put api.linode.com into /etc/hosts with one of its IPv4 addresses, does that speed things up again?

If not, does this run quickly or slowly?

cat <<EOF | python3
from urllib3.util import connection
import requests
orig = connection.create_connection
connection.create_connection = lambda _, *args, **kwargs: orig(("69.164.200.203", "443"), *args, **kwargs)
print(requests.request("GET", "https://api.linode.com/v4/", timeout=10))
EOF

snap install certbot-dns-linode

Entering one of the ipv4 addresses for api.linode.com into /etc/hosts made it run quickly. I specified a different domain to ensure it actually ran the dns-01 challenge for the new domain, I noticed that if I tried to re-run against a domain that was already validated, it would not trigger the challenge to run again.
Should I submit this on the certbot project's github page as an issue?
Thanks,
Sean

Once a domain is validated, that account doesn't have to re-validate for some period of time (currently 30 days, but that value could change in the future).

I noticed that if I tried to re-run against a domain that was already validated, it would not trigger the challenge to run again.

Further to what Matthew said, you can use --dry-run in Certbot >=0.40.0 to force revalidation every time.

The DNS thing? I think it is likely to be an issue with your network stack. Something like: IPv6 is enabled but doesn't quite work properly.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.