ZeroSSL acme certificate is taking more than 10 minutes to issue, which is too much time for production environment.

[nswarnkar]

Hello, few days back we tested ZeroSSL, certificate was getting issued in just 100 seconds approx. Recently on our live system, certificate started taking suddenly more time like even 11 minutes. Could you please look into this and suggest solution?

[fu-sen]

I'm a user and recently issued ZeroSSL. I haven't had such an experience. What does your system use for ACME?

[fu-sen]

When issuing a new ZeroSSL with a new domain, the ZeroSSL server performs domain authentication. Usually it is http or DNS. ZeroSSL also supports email authentication, but ACME won't use it: https://zerossl.com/documentation/api/get-certificate/

Please note that the name server has a cache. Even if it switches the name server, the new server cannot be referenced immediately. If it takes a long time to issue ZeroSSL, this is the usual cause.

If you are experiencing Let's Encrypt, Let's Encrypt has almost the same authentication and has the same problem.

[nswarnkar]

I am using cert manager configured in kubernetes. Please find the logs, which clearly shows that DNS challenge creation to verification took 10 minutes:

Certificate Request Order Created(Step#1) I0419 09:40:29.141914       1 sync.go:187] cert-manager/controller/orders "msg"="order URL not set, submitting Order to ACME server" "resource_kind"="Order" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087" "resource_namespace"="wg-connections"

I0419 09:40:29.152667       1 acme.go:198] cert-manager/controller/certificaterequests-issuer-acme/sign "msg"="acme Order resource is not in a ready state, waiting..." "related_resour ce_kind"="Order" "related_resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087" "related_resource_namespace"="wg-connections" "resource_kind"="CertificateRequest" "resource_name"="c ert-6570e43daab6bc6e-vjxs6" "resource_namespace"="wg-connections" I0419 09:40:33.234270       1 acme.go:198] cert-manager/controller/certificaterequests-issuer-acme/sign "msg"="acme Order resource is not in a ready state, waiting..." "related_resour ce_kind"="Order" "related_resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087" "related_resource_namespace"="wg-connections" "resource_kind"="CertificateRequest" "resource_name"="c ert-6570e43daab6bc6e-vjxs6" "resource_namespace"="wg-connections"

DNS->Challenge initiation & propgation process(Started- Step#2) I0419 09:40:33.953545       1 dns.go:102] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="6570e43daab6bc6e.vpn.my_domain.com" "doma in"="6570e43daab6bc6e.vpn.my_domain.com" "resource_kind"="Challenge" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087-1711131633" "resource_namespace"="wg-connections" "type"=" dns-01"

I0419 09:42:36.769270       1 dns.go:102] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="6570e43daab6bc6e.vpn.my_domain.com" "doma in"="6570e43daab6bc6e.vpn.my_domain.com" "resource_kind"="Challenge" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087-1711131633" "resource_namespace"="wg-connections" "type"=" dns-01" I0419 09:44:39.287197       1 dns.go:102] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="6570e43daab6bc6e.vpn.my_domain.com" "doma in"="6570e43daab6bc6e.vpn.my_domain.com" "resource_kind"="Challenge" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087-1711131633" "resource_namespace"="wg-connections" "type"=" dns-01" I0419 09:46:41.449938       1 dns.go:102] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="6570e43daab6bc6e.vpn.my_domain.com" "doma in"="6570e43daab6bc6e.vpn.my_domain.com" "resource_kind"="Challenge" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087-1711131633" "resource_namespace"="wg-connections" "type"=" dns-01" I0419 09:48:43.749327       1 dns.go:102] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="6570e43daab6bc6e.vpn.my_domain.com" "doma in"="6570e43daab6bc6e.vpn.my_domain.com" "resource_kind"="Challenge" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087-1711131633" "resource_namespace"="wg-connections" "type"=" dns-01" I0419 09:50:38.569134       1 dns.go:116] cert-manager/controller/challenges/Check "msg"="checking DNS propagation" "dnsName"="6570e43daab6bc6e.vpn.my_domain.com" "domain"="6570e43daa b6bc6e.vpn.my_domain.com" "resource_kind"="Challenge" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087-1711131633" "resource_namespace"="wg-connections" "type"="dns-01" "namese rvers"=["10.43.0.10:53"]

I0419 09:50:38.801030       1 dns.go:128] cert-manager/controller/challenges/Check "msg"="waiting DNS record TTL to allow the DNS01 record to propagate for domain" "dnsName"="6570e43d aab6bc6e.vpn.my_domain.com" "domain"="6570e43daab6bc6e.vpn.my_domain.com" "resource_kind"="Challenge" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087-1711131633" "resource_nam I0419 09:51:38.801168       1 dns.go:130] cert-manager/controller/challenges/Check "msg"="ACME DNS01 validation record propagated" "dnsName"="6570e43daab6bc6e.vpn.my_domain.com" "doma in"="6570e43daab6bc6e.vpn.my_domain.com" "resource_kind"="Challenge" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087-1711131633" "resource_namespace"="wg-connections" "type"=" dns-01" "fqdn"="_acme-challenge.6570e43daab6bc6e.vpn.my_domain.com."

DNS->Challenge initiation & propgation process(Finished, Step#3)- Took 10 minutes

DNS->Finalize Certificate wrt to Kubernetes ( like creating/updating keys for Certificate: Step#4) I0419 09:51:38.801203       1 sync.go:336] cert-manager/controller/challenges/acceptChallenge "msg"="accepting challenge with ACME server" "dnsName"="6570e43daab6bc6e.vpn.testwebrtc.d e" "resource_kind"="Challenge" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087-1711131633" "resource_namespace"="wg-connections" "type"="dns-01"

I0419 09:51:43.041768       1 sync.go:143] cert-manager/controller/orders "msg"="Finalizing Order as order state is 'Ready'" "resource_kind"="Order" "resource_name"="cert-6570e43daab6bc6e-vjxs6-3446206087" "resource_namespace"="wg-connections"

[fu-sen]

It looks like my comment is correct. ZeroSSL is DNS-01 authentication and the corresponding server is not visible. You may need to address your name server to resolve this issue. This is clearly not a ZeroSSL issue.

[fu-sen]

After setting up a subdomain, are you checking the record "from elsewhere"? For example, this would be useful: https://toolbox.googleapps.com/apps/dig/

[nswarnkar]

I faced this issue again, this time even it is more than one hour, still certificate not generated. Cert Manager suggests 504 Gateway Timeout. The domain name , against which certificate needs to be generated, is ping-able.

(base) neeraj@ubuntu:~$ ping 6313b09c122fe476.my-domain.com PING 6313b09c122fe476.my-domain.com (IP->A.B.C.D(masked for security reasons)) 56(84) bytes of data. 64 bytes from W.X.Y.Z.amazonaws.com (IP->A.B.C.D(masked for security reasons)): icmp_seq=1 ttl=44 time=204 ms 64 bytes from W.X.Y.Z.amazonaws.com (IP->A.B.C.D(masked for security reasons)): icmp_seq=2 ttl=44 time=415 ms 64 bytes from W.X.Y.Z.amazonaws.com (IP->A.B.C.D(masked for security reasons)): icmp_seq=3 ttl=44 time=147 ms 64 bytes from W.X.Y.Z.amazonaws.com (IP->A.B.C.D(masked for security reasons)): icmp_seq=4 ttl=44 time=292 ms

Please check the cert-manager logs( 504 Gateway timeout)

I0603 05:00:47.436361 1 sync.go:143] cert-manager/controller/orders "msg"="Finalizing Order as order state is 'Ready'" "resource_kind"="Order" "resource_name"="cert-6313b09c122fe476-8r9q7-2487832066" "resource_namespace"="wg-connections" I0603 05:00:48.309471 1 sync.go:224] cert-manager/controller/orders "msg"="Fetching Order metadata from ACME server" "resource_kind"="Order" "resource_name"="cert-6313b09c122fe476-8r9q7-2487832066" "resource_namespace"="wg-connections" E0603 05:00:48.480760 1 controller.go:158] cert-manager/controller/orders "msg"="re-queuing item due to error processing" "error"="error syncing order status: 504 : 504 Gateway Time-out" "key"="wg-connections/cert-6313b09c122fe476-8r9q7-2487832066"

[nswarnkar]

After setting up a subdomain, are you checking the record "from elsewhere"? For example, this would be useful: https://toolbox.googleapps.com/apps/dig/

We are using AWS route53.

[fgilio]

I've seen this problem live in production hundreds of times already. When everything is working fine ZeroSSL takes between 15 and 25 seconds to issue a certificate, but it can take minutes to do so.

imho 20 seconds is already too much, considering Let's Encrypt is almost instant.

[Murphy-hub]

I've seen this problem live in production hundreds of times already. When everything is working fine ZeroSSL takes between 15 and 25 seconds to issue a certificate, but it can take minutes to do so.

imho 20 seconds is already too much, considering Let's Encrypt is almost instant.

Similar to this question: https://github.com/cert-manager/cert-manager/issues/5690

[dcgsteve]

Only responded to add that I am seeing exactly the same thing as well using zero-ssl through cert manager - sometimes 1-2 mins, sometimes around 10 mins :(

Note: DNS is wildcard via CloudFlare

[goranjviv]

Unfortunately, I to switch to another CA with ACME. ZeroSSL certificate renewal timed out for a couple times. After switching to another CA, everything was done in 2-3 minutes.

[guillerodriguez]

Unfortunately, I to switch to another CA with ACME. ZeroSSL certificate renewal timed out for a couple times. After switching to another CA, everything was done in 2-3 minutes.

Which CA?