Project

General

Profile

Actions

Bug #9318

closed

Acme - standalone validation takes long time to start internal server

Added by Greg M about 5 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
ACME
Target version:
-
Start date:
02/13/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

Hi!

As per post here: https://forum.netgate.com/topic/140537/certificate-long-time-to-issue

I have ACME in standalone mode on port 80 which is not used anywhere on firewall.
Then I have HAPROXY backend forwarded to this IP and port, with no health checks and default timers. I also have a rule that forwards /well-known to this backend.

If I have for example cert with 3 domain names and their www counterparts
that makes 6 domain names in total.
Now running on 2.4.4-RELEASE-p2 and ACME package 0.5.3 it takes around 5-6 minutes to issue a cert.

I noticed this this week as I`m 100% sure that it took like 30 seconds when I first set this up.

In LOG I can see the delay here:

[Wed Feb 13 09:44:17 CET 2019] _on_before_issue
[Wed Feb 13 09:44:17 CET 2019] _chk_main_domain='domain.com'
[Wed Feb 13 09:44:17 CET 2019] _chk_alt_domains='www.domain.com'
[Wed Feb 13 09:44:17 CET 2019] 'no,no' contains 'no'
[Wed Feb 13 09:44:17 CET 2019] socat exists=0
[Wed Feb 13 09:44:17 CET 2019] Le_LocalAddress
[Wed Feb 13 09:44:17 CET 2019] d='domain.com'
[Wed Feb 13 09:44:17 CET 2019] Check for domain='domain.com'
[Wed Feb 13 09:44:17 CET 2019] _currentRoot='no'
[Wed Feb 13 09:44:17 CET 2019] Standalone mode.
[Wed Feb 13 09:44:17 CET 2019] OK
[Wed Feb 13 09:44:17 CET 2019] 8:Le_HTTPPort='80'
[Wed Feb 13 09:44:17 CET 2019] _checkport='80'
[Wed Feb 13 09:44:17 CET 2019] _checkaddr
[Wed Feb 13 09:44:17 CET 2019] ss exists=127
[Wed Feb 13 09:44:17 CET 2019] netstat exists=0
[Wed Feb 13 09:44:17 CET 2019] Using: netstat
###  Here, and for all domain names one time repetition ###
[Wed Feb 13 09:44:52 CET 2019] d='www.domain.com'
[Wed Feb 13 09:44:52 CET 2019] Check for domain='www.domain.com'
[Wed Feb 13 09:44:52 CET 2019] _currentRoot='no'
[Wed Feb 13 09:44:52 CET 2019] Standalone mode.
[Wed Feb 13 09:44:52 CET 2019] OK
[Wed Feb 13 09:44:52 CET 2019] 8:Le_HTTPPort='80'
[Wed Feb 13 09:44:52 CET 2019] _checkport='80'
[Wed Feb 13 09:44:52 CET 2019] _checkaddr
[Wed Feb 13 09:44:52 CET 2019] ss exists=127
[Wed Feb 13 09:44:52 CET 2019] netstat exists=0
[Wed Feb 13 09:44:52 CET 2019] Using: netstat
[Wed Feb 13 09:45:02 CET 2019] d
[Wed Feb 13 09:45:02 CET 2019] 'no,no' does not contain 'apache'

When this check or whatever gets done, internal server is started haproxy servers the validation requests and cert gets issued in seconds.

I thing this is a bug if not, we can continue on forums.

Thanks!

Actions #1

Updated by Jim Pingle about 5 years ago

  • Status changed from New to Not a Bug

Not seeing a bug there. Please keep the discussion on the forum unless something specific can be identified. That's also not the recommended way to integrate ACME with haproxy, there is a way to do it using a python script which is much more reliable.

Actions #2

Updated by Greg M about 5 years ago

It IS bug, reported upstream: https://github.com/Neilpang/acme.sh/issues/2096

https://forum.netgate.com/topic/140537/certificate-long-time-to-issue/17

Would it be possible to exclude that IF code block in pfsense package?

Thanks!

Actions #4

Updated by Jim Pingle about 5 years ago

  • Project changed from pfSense to pfSense Packages
  • Category set to ACME
  • Status changed from Not a Bug to Resolved
  • Assignee set to Jim Pingle
  • % Done changed from 0 to 100
  • Affected Version deleted (2.4.4_2)

Should be fixed in the ACME pkg update I just pushed, 0.5.4

Actions

Also available in: Atom PDF