[Fixed] Installing Lets'ecrypt certificate is taking a very long time

lab.8916100448256 · February 21, 2024, 12:56pm

Hi,

Installing Lets’ecrypt certificate is taking a very long time,
without any obvious error in the logs.
In the end, certificates are correctly installed. But I have to wait tens of minutes for each certificate install to complete.

Any idea of what could be the cause of that?

My YunoHost server

Hardware: ODroid H3+ (x86 not ARM)
YunoHost version: 11.2.10
I have access to my server : Through SSH and through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
Freshly installed server, with a wireguard VPN to expose it on the internet
The VPN I’m using is IPV4 only.
I have disabled IPV6 in the web admin pages tools/settings/email and tools/settings/misc

Description of my issue

As can be seen in the logs below, some steps of the cert install are taking several minutes.

Output of yunohost domain cert-install visio.lab12.io --debug (including only the beginning, where things are slow) :
https://paste.yunohost.org/eququxojug.yaml

Log file /var/log/yunohost/categories/operation/20240221-115129-letsencrypt_cert_install-visio.lab12.io.log :
https://paste.yunohost.org/okuqakobez.sql

File /etc/hosts :

127.0.0.1       localhost
127.0.1.1       clic12.lab12.io clic12

# The following lines are desirable for IPv6 capable hosts
#::1     localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters

127.0.0.1       lab12 lab12.io

Initially, the IPV6 stuff was not commented out. I commented it out it to see if it would fix the issue. It did not.
Also the last line did not initially include lab12.io. Adding it has not made any difference.

Diagnostic status :
All green except a warning about IPV6 connectivity (The server does not have working IPv6.) that I have set to ignored.

lab.8916100448256 · March 11, 2024, 9:07pm

I found the cause of my issue. It was a trouble with ipV6. The wireguard VPN that I am using does not support ipV6 but the wireguard configuration file that was given to me by the VPN provider had AllowedIPs = 0.0.0.0/0, ::/0 in it. Also my ethernet interface was configured with autoconfigured IPv6.

Beside the long delays in lets encrypt certificate generation it was also causing network access errors for domain names that were resolving to ipv6 address (that’s such an error that was happening during the installation of an app that hinted me to the cause of the issue)

After I removed the ::0 on the AllowedIPs of the wireguard configuration, removed the autoconfigured IPv6 from my ethernet interface in /etc/network/interfaces and completely disabled ipV6 by setting net.ipv6.conf.all.disable_ipv6 = 1 in /etc/sysctl.d/70-disable-ipv6.conf my lets encrypt certificates are now generated in a timely manner.

system · April 10, 2024, 9:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.