Project

General

Profile

Actions
Copy link

Bug #9318

closed

Acme - standalone validation takes long time to start internal server

Added by Greg M about 5 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
ACME
Target version:
-
Start date:
02/13/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

Hi!

As per post here: https://forum.netgate.com/topic/140537/certificate-long-time-to-issue

I have ACME in standalone mode on port 80 which is not used anywhere on firewall.
Then I have HAPROXY backend forwarded to this IP and port, with no health checks and default timers. I also have a rule that forwards /well-known to this backend.

If I have for example cert with 3 domain names and their www counterparts
that makes 6 domain names in total.
Now running on 2.4.4-RELEASE-p2 and ACME package 0.5.3 it takes around 5-6 minutes to issue a cert.

I noticed this this week as I`m 100% sure that it took like 30 seconds when I first set this up.

In LOG I can see the delay here:

[Wed Feb 13 09:44:17 CET 2019] _on_before_issue
[Wed Feb 13 09:44:17 CET 2019] _chk_main_domain='domain.com'
[Wed Feb 13 09:44:17 CET 2019] _chk_alt_domains='www.domain.com'
[Wed Feb 13 09:44:17 CET 2019] 'no,no' contains 'no'
[Wed Feb 13 09:44:17 CET 2019] socat exists=0
[Wed Feb 13 09:44:17 CET 2019] Le_LocalAddress
[Wed Feb 13 09:44:17 CET 2019] d='domain.com'
[Wed Feb 13 09:44:17 CET 2019] Check for domain='domain.com'
[Wed Feb 13 09:44:17 CET 2019] _currentRoot='no'
[Wed Feb 13 09:44:17 CET 2019] Standalone mode.
[Wed Feb 13 09:44:17 CET 2019] OK
[Wed Feb 13 09:44:17 CET 2019] 8:Le_HTTPPort='80'
[Wed Feb 13 09:44:17 CET 2019] _checkport='80'
[Wed Feb 13 09:44:17 CET 2019] _checkaddr
[Wed Feb 13 09:44:17 CET 2019] ss exists=127
[Wed Feb 13 09:44:17 CET 2019] netstat exists=0
[Wed Feb 13 09:44:17 CET 2019] Using: netstat
###  Here, and for all domain names one time repetition ###
[Wed Feb 13 09:44:52 CET 2019] d='www.domain.com'
[Wed Feb 13 09:44:52 CET 2019] Check for domain='www.domain.com'
[Wed Feb 13 09:44:52 CET 2019] _currentRoot='no'
[Wed Feb 13 09:44:52 CET 2019] Standalone mode.
[Wed Feb 13 09:44:52 CET 2019] OK
[Wed Feb 13 09:44:52 CET 2019] 8:Le_HTTPPort='80'
[Wed Feb 13 09:44:52 CET 2019] _checkport='80'
[Wed Feb 13 09:44:52 CET 2019] _checkaddr
[Wed Feb 13 09:44:52 CET 2019] ss exists=127
[Wed Feb 13 09:44:52 CET 2019] netstat exists=0
[Wed Feb 13 09:44:52 CET 2019] Using: netstat
[Wed Feb 13 09:45:02 CET 2019] d
[Wed Feb 13 09:45:02 CET 2019] 'no,no' does not contain 'apache'

When this check or whatever gets done, internal server is started haproxy servers the validation requests and cert gets issued in seconds.

I thing this is a bug if not, we can continue on forums.

Thanks!

Actions
Copy link

Also available in: Atom PDF