timkou
July 26, 2018, 6:29pm
1
We are producing multiple certificates on the same IP and having trouble with the following:
The more certificates we produce, the higher server load and longer time to produce a certificate
It currently it takes about an hour to make certificates for 100 domains, half of them are www
Is anyone else experiencing this issue and is the number of certificates produced the cause of server load?
Any help or articles anyone can point me to would be great.
thanks
Could you give us more information about your environment and how you’re going about issuing these certificates?
2 Likes
Hi @timkou
how do you create these certificates?
Domain 1 - Order, Challenge, Certificate request, Download - then domain 2
Or
All orders, then all challenges, then all certificate requests, then all downloads?
Which client do you use? Perhaps the client scans the local informations and need more time?
timkou
July 27, 2018, 10:09am
4
We use the following:
certbot 0.26.1
/root/certbot-auto --quiet --nginx --redirect --allow-subset-of-names -w /home/thedomains/application/current/web/ -d 100 domain names
timkou
July 27, 2018, 5:14pm
5
We use the following:
certbot 0.26.1
/root/certbot-auto --quiet --nginx --redirect --allow-subset-of-names -w /home/thedomains/application/current/web/ -d 100 domain names
Looks like certbot isn't very efficient handling 50 - 100 domain names. Normally, 100 domain names should need 100 * time of one domain. Or one configuration file is too big and the parsing is not very good.
But this is a question the certbot engineers may have a look - @schoen
schoen
July 28, 2018, 2:39am
7
Sorry, are you putting 100 names in one certificate, or one name apiece in 100 certificates?
timkou
July 30, 2018, 1:27pm
8
@schoen we are putting 100 names per certificate.
Thanks for your help. Please advise.
schoen
July 30, 2018, 5:19pm
9
Could you post the log file from /var/log/letsencrypt
for one of the times that you obtained a certificate?
timkou
July 31, 2018, 1:36pm
10
@schoen please find the log
letsencryptlog.txt (765.1 KB)
schoen
July 31, 2018, 5:13pm
11
I’m not sure this is the right log, since this log covers only about 1 minute in time, doesn’t show any certificate requests happening, and shows an interrupted Certbot run. I was hoping to see the entire log for a time when 100 certificates were successfully obtained.
timkou
August 1, 2018, 10:32am
12
@schoen please see the attached log files
letsencrypt.139.txt (1023.7 KB)
letsencrypt.138.txt (996.8 KB)
thank you
schoen
August 1, 2018, 5:24pm
13
Thanks, but those log files only contain events from 2018-07-24 07:02:12,261
to 2018-07-24 07:03:59,247
, a range of less than two minutes in all. That still doesn’t seem to reflect the huge time lapse that you’re talking about.
timkou
August 2, 2018, 1:37pm
14
@schoen Thank you for your input. Attached please find .zip file. Hopefully this will provide the details needed for you to analyze. The data is in a .zip file that I have uploaded to the following google drive link:
https://drive.google.com/drive/folders/1DJo34HuqCbihxCTKlC8KDs1Z_7wkuOAd?usp=sharing
Looking forward to hearing from you.
I appreciate your help and patience.
timkou
August 6, 2018, 10:12pm
15
@schoen Have you had the opportunity to review the files i sent you?
regards
tim
schoen
August 10, 2018, 12:47am
16
Hi @timkou , I’m sorry, but I haven’t yet! I hope I’ll be able to take a look at them tomorrow.
@mnordhoff wrote:
I made Certbot issue a certificate for 100 names. It took 43 seconds. (I used certonly --webroot
.)
So it's a special problem.
timkou
August 10, 2018, 5:32pm
18
@JuergenAuer can you please share what your server HW configuration is?
I don't use Certbot. I use a Windows-2012 - server + own Letsencrypt-client.
schoen
August 10, 2018, 7:24pm
20
The person who got the fast issuance time in the other thread was @mnordhoff .