Certificate long time to issue

maverick_slo

No it does ot listen yet.
Only after those checks I can see socat bound to port 80 on desired IP.
After that cert is issued in 4 seconds.

I`m now almost 100% positive this is ACME issue.

PiBa

@maverick_slo
How long does it take?: time netstat -an -p tcp | grep LISTEN

maverick_slo

instant

While in "wait mode" (nestat) checks before it even starts to listen on 80:

tcp4       0      0 192.168.166.76.2222    *.*                    LISTEN
tcp4       0      0 192.168.166.77.443     *.*                    LISTEN
tcp4       0      0 192.168.166.77.80      *.*                    LISTEN
tcp4       0      0 127.0.0.1.44443        *.*                    LISTEN
tcp4       0      0 192.168.166.76.10050   *.*                    LISTEN
tcp6       0      0 *.44441                *.*                    LISTEN
tcp4       0      0 *.44441                *.*                    LISTEN
tcp4       0      0 *.44442                *.*                    LISTEN
tcp6       0      0 *.44442                *.*                    LISTEN
tcp4       0      0 192.168.166.76.443     *.*                    LISTEN

And when it listens and actually doing verification:

tcp4       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 192.168.166.76.2222    *.*                    LISTEN
tcp4       0      0 192.168.166.77.443     *.*                    LISTEN
tcp4       0      0 192.168.166.77.80      *.*                    LISTEN
tcp4       0      0 127.0.0.1.44443        *.*                    LISTEN
tcp4       0      0 192.168.166.76.10050   *.*                    LISTEN
tcp6       0      0 *.44441                *.*                    LISTEN
tcp4       0      0 *.44441                *.*                    LISTEN
tcp4       0      0 *.44442                *.*                    LISTEN
tcp6       0      0 *.44442                *.*                    LISTEN
tcp4       0      0 192.168.166.76.443     *.*                    LISTEN

I`m really out of ideas but unable to upgrade to alpha

maverick_slo

@piba said in Certificate long time to issue:

ng does it take?: tim
Do you suspect haproxy?

There was 1.8.19 just 2 days ago and already here: https://www.freshports.org/net/haproxy

:)

PiBa

@maverick_slo said in Certificate long time to issue:

instant

I guess i would put several more debug output statements like _debug "Using: netstat" into the acme.sh code surrounding functions that can be 'suspected' they might take a while and are between the parts where the current logs show the time is being spend.. Try and figure out what exact command is really taking the time..

maverick_slo

Or I could just migrate to DNS verification which is better anyway :)

maverick_slo

Ummm one more observation.
Cert was renewed today at 3:16 and it had 14 names in it. It renewed in 180 seconds which is waaaay faster than renew via WebGui.

So I`m calling it bug or regression or whatever :)

SYS LOG:
Feb 14 03:16:00 	php 		Acme, renewing certificate: EXCHANGE_LE
Feb 14 03:18:37 	php 		Acme, storing new certificate: EXCHANGE_LE

maverick_slo

At home I have same setup 12 domains 30 seconds but I`m on alpha build 2.4.5 :)

maverick_slo

OK ACME is to blame:

This code:

if _exists "netstat"; then
    _debug "Using: netstat"
    if netstat -h 2>&1 | grep "\-p proto" >/dev/null; then
      #for windows version netstat tool
      netstat -an -p tcp | grep "LISTENING" | grep ":$_port "
    else
      if netstat -help 2>&1 | grep "\-p protocol" >/dev/null; then
        netstat -an -p tcp | grep LISTEN | grep ":$_port "
      elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null; then
        #for solaris
        netstat -an -P tcp | grep "\.$_port " | grep "LISTEN"
      elif netstat -help 2>&1 | grep "\-p" >/dev/null; then
        #for full linux
        netstat -ntpl | grep ":$_port "
      else
        #for busybox (embedded linux; no pid support)
        netstat -ntl 2>/dev/null | grep ":$_port "
      fi
    fi
    return 0
  fi

It executes "if netstat -h 2>&1 | grep "-p proto" >/dev/null; then" which executes netstat -h and this takes long time as it resolves and trying to resolve all IPs :) then when it doesn`t find "-p proto" moves on to next command which is OK for our firewall. I removed first IF after _debug "Using: netstat" and verification is done in like 10 seconds for 12 hosts :)

So yeah this is bug.

Code that works:

if _exists "netstat"; then
    _debug "Using: netstat"
    
    else
      if netstat -help 2>&1 | grep "\-p protocol" >/dev/null; then
        netstat -an -p tcp | grep LISTEN | grep ":$_port "
      elif netstat -help 2>&1 | grep -- '-P protocol' >/dev/null; then
        #for solaris
        netstat -an -P tcp | grep "\.$_port " | grep "LISTEN"
      elif netstat -help 2>&1 | grep "\-p" >/dev/null; then
        #for full linux
        netstat -ntpl | grep ":$_port "
      else
        #for busybox (embedded linux; no pid support)
        netstat -ntl 2>/dev/null | grep ":$_port "
      
    fi
    return 0
  fi

Gertjan

Time to call Neil ^^

maverick_slo

;)
Reported on github.

But I still dont understand why this method is not supported or efficient?
It works really well...

jimp

It's not supported/efficient when hooking to HAProxy because it's redundant. HAProxy can already serve the files, there is no need for ACME to also be a web server involved in the process. ACME can drop the files in a directory, HAproxy can serve them up from there, and it's done. Just needs that python script and settings from the link I shared earlier in the thread.

maverick_slo

Well we all have our own opinions.
For me it is simpler:

1. I don`t need special settings
2. I don`t need any scripts
3. I can do it out of the box
4. Didn`t fail once (except long times because of acme.sh bug)

If netgate can include that script and integrate it, that would be cool :)