This has worked very well for us in the last few years. However recently we have been finding that the renewal process is taking longer over time. To the point where renewing 20 certificates can take a couple hours.
I also tried running the above command with the --duplicate option and did indeed find that the tool ran much more quickly. Furthermore it does appear that the tool will hang until it prints the result of the decision to generate or renew, and from there on, it will proceed relatively quickly.
However we are running certbot-auto 1.3.0 so I believe the fix which resolved the issue for this other user should be in place for us as well.
Note that I have also searched our letsencrypt.log files to ensure that there are no 429 response codes so ratelimiting is not the issue here
Thanks very much for any insight that you can provide!
I’ll be happy to run commands / provide any relvant info
/etc/scripts/certbot-auto certonly -a webroot -w /var/www/ -d "test.com"
This, you run ONE time, when you create the certificate for the first time. (If you want to install the certificate, you should remove certonly and add --deploy-hook "some command or script", so certbot can do that by itself).
Then, you run /etc/scripts/certbot-auto renew --quiet twice a day, at random times. (the options from the first command are saved)
Looking at the old thread, it appears that specifying --cert-name directly turns the O(N) operation into an O(1) operation.
i.e. Even with thousands of certificates, it should be as fast as if you only had a single certificate.
The command you provided doesn’t specify a --cert-name, it uses -d, which forces Certbot to go looking through all your certificates for one which contains that domain.
Is it possible for you to change your command to use --cert-name instead of -d?
That is it! I missed that when reading through the thread... just assumed the optimization would have been applied to -d (but can see why that wouldn't work)
I gave it a test in the console and the difference is night and day!
