Hi,
I have a multi-domain cert that I request to get created, it has 30 SAN names, 28 of them are wildcard domains. I am using certbot (v1.2.0 (docker)) with a cli.ini config below.
cerbot executes the manual auth hook, the hook creates the dns entries on Google Cloud DNS, waits for the dns entry to be replicated on all the name servers and then a additional sleep for 15s. The additional sleep was necessary as domain verification kept failing if the auth hook exited right after the the dns check on all the name servers. The error was NXDOMAIN.
This process is taking 45 mins to generate the certs! this is because for each domain the manual auth hook is being called serially.
- Is there a way this can the parallelized?
- Why is there a need for extra time (sleep 15s) after the DNS entry has already been verified on all the name servers of the registered domain? (it would fail with NXDOMAIN even after 5s of sleep, so I changed it to 15s.)
- Which DNS servers is Let’s Encrypt
CAA is checking to verify the DNS challenge? (from the blog post it looks it is checking the domains authoritative name servers: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation. I could not find this information in the docs.)
command
(ran inside a docker container):
certbot certonly --cert-name "${DOMAIN}" --domains "${DOMAIN},${SUB_DOMAINS}"
cli.ini
rsa-key-size = 4096
agree-tos = True
email = <redacted>
server = https://acme-v02.api.letsencrypt.org/directory
test-cert = False
non-interactive = True
preferred-challenges = dns
manual = True
manual-auth-hook = /opt/certbot/scripts/manual_auth_hook.sh
manual-cleanup-hook = /opt/certbot/scripts/manual_cleanup_hook.sh
manual-public-ip-logging-ok = True
manual_auth_hook.sh (excerpt)
timeout 120 sh << EOF
NAME_SERVERS="$(dig +short -t NS ${DOMAIN} | tr '\n' ' ')"
echo "NAME_SERVERS=\${NAME_SERVERS}" &> /proc/1/fd/1
for NS in \$NAME_SERVERS; do
echo "NS=\${NS}" &> /proc/1/fd/1
until dig +short -t TXT ${ACME_CHALLENGE_DOMAIN} @\${NS} | grep -q -- "${CERTBOT_VALIDATION}"; do
echo "$(date -Is) waiting for DNS resolution of ${ACME_CHALLENGE_DOMAIN} to show ${CERTBOT_VALIDATION} on \${NS}" &> /proc/1/fd/1
sleep 1
done
echo "resolved on \${NS}" &> /proc/1/fd/1
done
echo "resolved on all name servers: \${NAME_SERVERS}" &> /proc/1/fd/1
EOF
echo "$(date -Is) sleeping for 15s for DNS propogation." &> /proc/1/fd/1
sleep 15
Thanks!