letsencrypt renew

6 March 2018, 09:09

I have noticed the `letsencypt renew` script takes about 2 sec to execute and seems to access the internet while I would expect it to immediately return if we are far from the expiration date (as defined by RENEWAL_EXPIRE_THRESHOLD).
Is it in the initialization of the classes letsencrypt/acme/... that it is accessing the network? I can look into the script further myself and see what is the bottleneck in my case unless you tell me this is the expected behaviour.

Hugo Leisink
6 March 2018, 21:36
Most of the time goes into initializing PHP. The network traffic is probably during initializing of the ACME library.
6 March 2018, 22:12
Thanks for the explanation Hugo, is it possible to avoid this step if the time to expiry is far away to save that 2 seconds and the ACME access which should not be required, right?
Hugo Leisink
6 March 2018, 22:43
I will take a look at it for the ACME v2 version of this script.
6 March 2018, 23:06
Thanks very much Hugo, looking forward for the new ACME v2 btw!
7 March 2018, 21:00
Then I suppose what can be found on github here is not the latest.
Hugo Leisink
8 March 2018, 13:30
It's the latest release of the ACME v1 version of the script. The ACME v2 version is not ready, because the ACME v2 API is not available yet. What you can expect of it, can be found here.
9 March 2018, 08:14
Thanks I will have a look, note Hiawatha is already presented as a ACME v2 compatible client (staging endpoint) on Let's Encrypt's site
10 March 2018, 21:36
Having a look at it we will have the same delay at initialization than the ACME 1 (even if time to expiry is far away). It is connecting to LE CA server at init of the ACME library. Can it be taken out of the ACME init library and called only later on?

Hugo Leisink
11 March 2018, 01:23
I had not yet published the new code for that. I've updated the 2.0 tarball.
11 March 2018, 11:02
All right, the new code looks good! Are we waiting for ACME v2 to be finalized by the end of the quarter then now ?
18 March 2018, 16:38
Has anyone the same problem? When I renew or request (ACME1 or ACME2) I get a new Cert.pem but I cant use it. I get in the Browser (Firefox) "SEC_ERROR_BAD_SIGNATURE".
And the cert.pem listed here is not the cert in the hiawatha-pem-file.
19 March 2018, 13:43
20 March 2018, 09:16
This topic has been closed.