High Server Load and longer time to produce certificates


#1

We are producing multiple certificates on the same IP and having trouble with the following:

  • The more certificates we produce, the higher server load and longer time to produce a certificate
  • It currently it takes about an hour to make certificates for 100 domains, half of them are www

Is anyone else experiencing this issue and is the number of certificates produced the cause of server load?

Any help or articles anyone can point me to would be great.

thanks


Performance Issue for more than 100 SAN on single certificate
#2

Could you give us more information about your environment and how you’re going about issuing these certificates?


#3

Hi @timkou

how do you create these certificates?

Domain 1 - Order, Challenge, Certificate request, Download - then domain 2

Or

All orders, then all challenges, then all certificate requests, then all downloads?

Which client do you use? Perhaps the client scans the local informations and need more time?


#4

We use the following:
certbot 0.26.1
/root/certbot-auto --quiet --nginx --redirect --allow-subset-of-names -w /home/thedomains/application/current/web/ -d 100 domain names


#5

We use the following:
certbot 0.26.1
/root/certbot-auto --quiet --nginx --redirect --allow-subset-of-names -w /home/thedomains/application/current/web/ -d 100 domain names


#6

Looks like certbot isn’t very efficient handling 50 - 100 domain names. Normally, 100 domain names should need 100 * time of one domain. Or one configuration file is too big and the parsing is not very good.

But this is a question the certbot engineers may have a look - @schoen


#7

Sorry, are you putting 100 names in one certificate, or one name apiece in 100 certificates?


#8

@schoen we are putting 100 names per certificate.

Thanks for your help. Please advise.


#9

Could you post the log file from /var/log/letsencrypt for one of the times that you obtained a certificate?


#10

@schoen please find the log
letsencryptlog.txt (765.1 KB)


#11

I’m not sure this is the right log, since this log covers only about 1 minute in time, doesn’t show any certificate requests happening, and shows an interrupted Certbot run. I was hoping to see the entire log for a time when 100 certificates were successfully obtained.


#12

@schoen please see the attached log files
letsencrypt.139.txt (1023.7 KB)
letsencrypt.138.txt (996.8 KB)
thank you


#13

Thanks, but those log files only contain events from 2018-07-24 07:02:12,261 to 2018-07-24 07:03:59,247, a range of less than two minutes in all. That still doesn’t seem to reflect the huge time lapse that you’re talking about.


#14

@schoen Thank you for your input. Attached please find .zip file. Hopefully this will provide the details needed for you to analyze. The data is in a .zip file that I have uploaded to the following google drive link:
https://drive.google.com/drive/folders/1DJo34HuqCbihxCTKlC8KDs1Z_7wkuOAd?usp=sharing

Looking forward to hearing from you.

I appreciate your help and patience.


#15

@schoen Have you had the opportunity to review the files i sent you?
regards
tim


#16

Hi @timkou, I’m sorry, but I haven’t yet! I hope I’ll be able to take a look at them tomorrow.


#17

@mnordhoff wrote:

I made Certbot issue a certificate for 100 names. It took 43 seconds. (I used certonly --webroot .)

So it’s a special problem.


#18

@JuergenAuer can you please share what your server HW configuration is?


#19

I don’t use Certbot. I use a Windows-2012 - server + own Letsencrypt-client.


#20

The person who got the fast issuance time in the other thread was @mnordhoff.