Huge latency on generating certificat

From days now, I have a huge latency to generate or renew any cert.

Here is my last try :
My domain is: blbimmo.fr

I ran this command: certbot-auto certonly -d blbimmobilier.la-boite-immo.com -d blbimmo.fr -d www.blbimmo.fr --http-01-port 63443 --agree-tos --standalone

Started at 2020-03-03 11:34:02
Finished at 2020-03-03 11:59:15

Here is some logs where you can see the delay…

2020-03-03 11:34:03,764:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2020-03-03 11:34:03,766:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 03 Mar 2020 10:34:03 GMT
// …
2020-03-03 11:42:29,040:INFO:certbot._internal.main:Obtaining a new certificate
2020-03-03 11:50:56,609:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/29069_key-certbot.pem
2020-03-03 11:59:03,677:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/29066_csr-certbot.pem

And after all is doing right… But I have a huge number of certificats to generate / renew.

certbot 1.2.0

Is there a specific step which is delayed or are all steps very slow?

If it’s the former, what is the step from the log before the step in time?

1 Like

All the steps before and after are really quick.

I have the same delay for all certificates, in the same steps : beetween “Received response” and “Creating CSR”.

CPU usage stay low (2 cores, ). No wait on CPU.
Load stable at 1.00 (no other process on this host, it’s used only by letsencrypt, web trafic is managed by haproxy in front of that host).

Here is the log file before :

2020-03-03 11:34:02,825:DEBUG:certbot._internal.main:certbot version: 1.2.0
2020-03-03 11:34:02,826:DEBUG:certbot._internal.main:Arguments: ['-d', 'blbimmobilier.la-boite-immo.com', '-d', 'blbimmo.fr', '-d', 'www.blbimmo.fr', '--http-01-port', '63443', '--agree-tos', '-m', 'infra@la-boite-immo.com', '--account', 'd6b16a04dc38f74b04d3cc6881aa2720', '--standalone', '--non-interactive']
2020-03-03 11:34:02,826:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-03-03 11:34:02,902:DEBUG:certbot._internal.log:Root logging level set at 20
2020-03-03 11:34:02,903:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-03-03 11:34:03,127:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2020-03-03 11:34:03,144:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f34f113cb90>
Prep: True
2020-03-03 11:34:03,145:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x7f34f113cb90> and installer None
2020-03-03 11:34:03,145:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2020-03-03 11:34:03,175:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', only_return_existing=None, contact=(u'mailto:infra@la-boite-immo.com',), key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f34f2ce1290>)>), external_account_binding=None), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/20022078', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), d6b16a04dc38f74b04d3cc6881aa2720, Meta(creation_host=u'lb1.la-boite-immo.fr', creation_dt=datetime.datetime(2017, 8, 16, 12, 46, 32, tzinfo=<UTC>)))>
2020-03-03 11:34:03,178:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-03-03 11:34:03,182:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2020-03-03 11:34:03,764:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2020-03-03 11:34:03,766:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 03 Mar 2020 10:34:03 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "nDwpIHo7oYA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2020-03-03 11:42:29,040:INFO:certbot._internal.main:Obtaining a new certificate
2020-03-03 11:50:56,609:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/29069_key-certbot.pem
2020-03-03 11:59:03,677:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/29066_csr-certbot.pem