Bug #9318
closedAcme - standalone validation takes long time to start internal server
100%
Description
Hi!
As per post here: https://forum.netgate.com/topic/140537/certificate-long-time-to-issue
I have ACME in standalone mode on port 80 which is not used anywhere on firewall.
Then I have HAPROXY backend forwarded to this IP and port, with no health checks and default timers. I also have a rule that forwards /well-known to this backend.
If I have for example cert with 3 domain names and their www counterparts
that makes 6 domain names in total.
Now running on 2.4.4-RELEASE-p2 and ACME package 0.5.3 it takes around 5-6 minutes to issue a cert.
I noticed this this week as I`m 100% sure that it took like 30 seconds when I first set this up.
In LOG I can see the delay here:
[Wed Feb 13 09:44:17 CET 2019] _on_before_issue
[Wed Feb 13 09:44:17 CET 2019] _chk_main_domain='domain.com'
[Wed Feb 13 09:44:17 CET 2019] _chk_alt_domains='www.domain.com'
[Wed Feb 13 09:44:17 CET 2019] 'no,no' contains 'no'
[Wed Feb 13 09:44:17 CET 2019] socat exists=0
[Wed Feb 13 09:44:17 CET 2019] Le_LocalAddress
[Wed Feb 13 09:44:17 CET 2019] d='domain.com'
[Wed Feb 13 09:44:17 CET 2019] Check for domain='domain.com'
[Wed Feb 13 09:44:17 CET 2019] _currentRoot='no'
[Wed Feb 13 09:44:17 CET 2019] Standalone mode.
[Wed Feb 13 09:44:17 CET 2019] OK
[Wed Feb 13 09:44:17 CET 2019] 8:Le_HTTPPort='80'
[Wed Feb 13 09:44:17 CET 2019] _checkport='80'
[Wed Feb 13 09:44:17 CET 2019] _checkaddr
[Wed Feb 13 09:44:17 CET 2019] ss exists=127
[Wed Feb 13 09:44:17 CET 2019] netstat exists=0
[Wed Feb 13 09:44:17 CET 2019] Using: netstat
### Here, and for all domain names one time repetition ###
[Wed Feb 13 09:44:52 CET 2019] d='www.domain.com'
[Wed Feb 13 09:44:52 CET 2019] Check for domain='www.domain.com'
[Wed Feb 13 09:44:52 CET 2019] _currentRoot='no'
[Wed Feb 13 09:44:52 CET 2019] Standalone mode.
[Wed Feb 13 09:44:52 CET 2019] OK
[Wed Feb 13 09:44:52 CET 2019] 8:Le_HTTPPort='80'
[Wed Feb 13 09:44:52 CET 2019] _checkport='80'
[Wed Feb 13 09:44:52 CET 2019] _checkaddr
[Wed Feb 13 09:44:52 CET 2019] ss exists=127
[Wed Feb 13 09:44:52 CET 2019] netstat exists=0
[Wed Feb 13 09:44:52 CET 2019] Using: netstat
[Wed Feb 13 09:45:02 CET 2019] d
[Wed Feb 13 09:45:02 CET 2019] 'no,no' does not contain 'apache'
When this check or whatever gets done, internal server is started haproxy servers the validation requests and cert gets issued in seconds.
I thing this is a bug if not, we can continue on forums.
Thanks!
Updated by Jim Pingle about 5 years ago
- Status changed from New to Not a Bug
Not seeing a bug there. Please keep the discussion on the forum unless something specific can be identified. That's also not the recommended way to integrate ACME with haproxy, there is a way to do it using a python script which is much more reliable.
Updated by Greg M about 5 years ago
It IS bug, reported upstream: https://github.com/Neilpang/acme.sh/issues/2096
https://forum.netgate.com/topic/140537/certificate-long-time-to-issue/17
Would it be possible to exclude that IF code block in pfsense package?
Thanks!
Updated by Greg M about 5 years ago
Updated by Jim Pingle about 5 years ago
- Project changed from pfSense to pfSense Packages
- Category set to ACME
- Status changed from Not a Bug to Resolved
- Assignee set to Jim Pingle
- % Done changed from 0 to 100
- Affected Version deleted (
2.4.4_2)
Should be fixed in the ACME pkg update I just pushed, 0.5.4