Performance issues when renewing certificates

Hey guys I’ll kick off here by saying that we have been using this tool for several years now and it has been a huge help for us!

We have ~17,000 domains and will periodically loop over subsets of them that are close to expiry running:

/etc/scripts/certbot-auto certonly -a webroot --webroot-path=/var/www/ --keep-until-expiring --no-self-upgrade --agree-tos --email --force-renewal --non-interactive -d ""

This has worked very well for us in the last few years. However recently we have been finding that the renewal process is taking longer over time. To the point where renewing 20 certificates can take a couple hours.

I dug up this old thread and it looked very similar to what we are currently fighting with: Performance issues when creating/renewing certificates

I also tried running the above command with the --duplicate option and did indeed find that the tool ran much more quickly. Furthermore it does appear that the tool will hang until it prints the result of the decision to generate or renew, and from there on, it will proceed relatively quickly.

However we are running certbot-auto 1.3.0 so I believe the fix which resolved the issue for this other user should be in place for us as well.

Note that I have also searched our letsencrypt.log files to ensure that there are no 429 response codes so ratelimiting is not the issue here :frowning:

Thanks very much for any insight that you can provide!
I’ll be happy to run commands / provide any relvant info


I’m going to give you a new command:

/etc/scripts/certbot-auto certonly -a webroot -w /var/www/ -d ""

This, you run ONE time, when you create the certificate for the first time. (If you want to install the certificate, you should remove certonly and add --deploy-hook "some command or script", so certbot can do that by itself).

Then, you run /etc/scripts/certbot-auto renew --quiet twice a day, at random times. (the options from the first command are saved)

If performance is still slow, move to

Could you clarify what your question is?

Looking at the old thread, it appears that specifying --cert-name directly turns the O(N) operation into an O(1) operation.

i.e. Even with thousands of certificates, it should be as fast as if you only had a single certificate.

The command you provided doesn’t specify a --cert-name, it uses -d, which forces Certbot to go looking through all your certificates for one which contains that domain.

Is it possible for you to change your command to use --cert-name instead of -d?


That is it! I missed that when reading through the thread… just assumed the optimization would have been applied to -d (but can see why that wouldn’t work)

I gave it a test in the console and the difference is night and day!

Thank you both for taking a look at that!

1 Like

If you don’t loop through certificates by yourself and let certbot renew do its stuff, the problem goes away all the same.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.