Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Slow creation for new domain #1049

Closed
cpontvieux-systra opened this issue Aug 11, 2023 · 3 comments · Fixed by nginx-proxy/docker-gen#577, nginx-proxy/docker-gen#578 or #1078
Closed

Slow creation for new domain #1049

cpontvieux-systra opened this issue Aug 11, 2023 · 3 comments · Fixed by nginx-proxy/docker-gen#577, nginx-proxy/docker-gen#578 or #1078

Comments

@cpontvieux-systra
Copy link

https://github.com/nginx-proxy/acme-companion/blob/9fbd6684efba2d740f195f12888362307d26bb59/app/letsencrypt_service#L432C5-L432C5

This loop can take a long moment if you have lots of domains/containers. This is a NOT a problem for certificate renewal, but it is for certificate CREATION.

This list is ordered (by go) in alphabetical order. If you new domain starts with the letter V for instance, you have to wait for ACME script to walk through all previous domains (even if no action required yet) before reaching you newly domain.

This can prevent your domain to be ready for several minutes if you have lots of domains and this time vary a lot based on your domain name (alphabetical order).

  • What solution is possible?
  • Can this loop be split into multiple chunks and run in parallel? And then using a wait before going on?
  • Did I reach a point where nginx + acme-companion is not a viable solution anymore? What do you recommend if this is the case?
@mickaelperrin
Copy link
Contributor

@buchdag Thanks for providing a fix for this issue (and maintaining this project).

I however have some interrogations regarding the fix. My understanding of how the acme companion works is that the nginx service is restarted at the end of the acme loop. So basically, changing the order of processing certificates should not change anything ? right ?

I was wondering also, when the processing is started in response of an event, can't we only do the loop over the certificates related to the container events ?

Thanks,

@cpontvieux-systra
Copy link
Author

@mickaelperrin you made a point, but it’s better to open a new issue than commenting on a close one ;-)

@buchdag
Copy link
Member

buchdag commented Nov 25, 2024

This is still not perfect (certificate are still checked / created in sequence during the service loop) but should be significantly better with #1078 and #1166 combined : the certificates are handled by reverse container creation time order and nginx is reloaded as soon as a certificate is created or renewed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment