search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.84k stars 1.01k forks source link

Improve renew times for certificates with multiple SAN certificate #1979

Open relvira opened 1 year ago

relvira commented 1 year ago

Welcome

How do you use lego?

Library

Detailed Description

Hey there!

I am currently using go-acme/lego to renew a number of certificates that each contain a large list of SAN, all of which belong to the same domain name (i.e. mydomain.com), I am using DNS TXT challenges to prove ownership of said domains.

The main issue I'm facing is renew times, some of these certificates have about 100 SAN, and due to API rate limits on the DNS provider and DNS propagation I can only do the challenges at a certain pace.

I am wondering if there is room for a feature where we can somehow skip authorizations if there is a valid one already? This is what I am seeing when validating all of the SAN at the moment, and getting this after:

2023/06/15 07:42:20 [INFO] [*.dev1594.mydomain.com] acme: authorization already valid; skipping challenge
2023/06/15 07:42:20 [INFO] [*.dev1595.mydomain.com] acme: authorization already valid; skipping challenge
2023/06/15 07:42:20 [INFO] [*.dev1596.mydomain.com] acme: authorization already valid; skipping challenge
2023/06/15 07:42:20 [INFO] [*.dev1597.mydomain.com] acme: authorization already valid; skipping challenge
2023/06/15 07:42:20 [INFO] [*.dev1598.mydomain.com] acme: authorization already valid; skipping challenge
2023/06/15 07:42:20 [INFO] [*.dev1599.mydomain.com] acme: authorization already valid; skipping challenge

Thank you for your hard work maintainers!

Best, Rafa.

ldez commented 1 year ago

Hello,

I'm not sure to understand: lego already skips authorizations, but to be able to know the state of the authorizations we must call the API to obtain authorizations.

The main issue I'm facing is renew times, some of these certificates have about 100 SAN, and due to API rate limits on the DNS provider and DNS propagation I can only do the challenges at a certain pace.

Not sure to understand: do you mean that the renew takes too much time? What is the link with the DNS rate limits? Can you provide more details?

linsomniac commented 4 months ago

This comment has been moved over to issue #2180

ldez commented 4 months ago

@linsomniac it's not related to this issue, can you create a dedicated issue?