Lego: Question: why is lego doing network communication when certificate is not due for renewal?

Created on 18 Jun 2020  路  3Comments  路  Source: go-acme/lego

When I boot my server with statically configured IP addresses, the network is not yet up (see Running Services After the Network is up) when lego renew is executed.

However, because the certificate is not due for renewal, it should not be a problem from my understanding. However, here is what happens:

2020/06/18 07:38:17 Could not create client: get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get "https://acme-staging-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-staging-v02.api.letsencrypt.org: device or resource busy

If I retry manually after the network is up, here is what I get:

2020/06/18 07:39:41 [example.com] The certificate expires in 89 days, the number of days defined to perform the renewal is 30: no renewal.
  • Why the network call (e.g.: DNS query on acme-staging-v02.api.letsencrypt.org)?
  • Is it because of a lego implementation detail or the ACME protocol specification?

I imagined that the first thing lego would do is to check if the certificate is due for renewal and stop right there if it is not, no network call needed.

Configuration

  • Version: lego version 3.7.0 linux/amd64
  • Operating system: NixOS
question
Source
picture datafoo

Most helpful comment

the acme API is "dynamic" by specification, so when we create a client we have to do a call to an endpoint /directory to get the others endpoints (https://tools.ietf.org/html/rfc8555#section-7.1.1)

Do we need to create a client when the renewal is not due?

picture datafoo on 18 Jun 2020
👍3

All 3 comments

Hello,

the acme API is "dynamic" by specification, so when we create a client we have to do a call to an endpoint /directory to get the others endpoints (https://tools.ietf.org/html/rfc8555#section-7.1.1)

ldez picture ldez on 18 Jun 2020

the acme API is "dynamic" by specification, so when we create a client we have to do a call to an endpoint /directory to get the others endpoints (https://tools.ietf.org/html/rfc8555#section-7.1.1)

Do we need to create a client when the renewal is not due?

datafoo picture datafoo on 18 Jun 2020
👍3

I don't mean to be rude but I genuinely would like to understand if there is a way to fix this.

As it turned out, the STP (Spanning Tree Protocol) was the cause of my server not being able to communicate during the first 30 seconds after boot up. Enabling PortFast fixed it. But my point is that we have a valid use case of Lego starting at a moment the network is not available. It would be beneficial to avoid a network call if not necessary, or to understand why it is necessary.

datafoo picture datafoo on 14 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cruscio picture cruscio  路  3Comments
voltagex picture voltagex  路  3Comments
richtr picture richtr  路  5Comments
kop picture kop  路  5Comments
kuuji picture kuuji  路  4Comments