Validate 1 certificate's domains in parallel #270

New Issue

adam · 2025-12-29T01:20:40+01:00

adam commented

2025-12-29 01:20:40 +01:00

Originally created by @rudiedirkx on GitHub (Jan 7, 2018).

DNS validation is very slow (30s - 5m per domain). A certificate can have many domains. Adding and validation records serially is very slow, where most of the time spent is waiting for DNS to update. Is it possible to start all validations at the same time, and then wait once, and then clean up all at once? Does Let's Encrypt even support that? Could Dehydrated?

Just to be sure: I am talking about multiple domains in 1 certificate, not running multiple dehydrateds in parallel.

HTTP challenges are super fast, so it doesn't matter there, but v2 wildcards only accept DNS challenges.

Originally created by @rudiedirkx on GitHub (Jan 7, 2018). DNS validation is very slow (30s - 5m per domain). A certificate can have many domains. Adding and validation records serially is very slow, where most of the time spent is waiting for DNS to update. Is it possible to start all validations at the same time, and then wait once, and then clean up all at once? Does Let's Encrypt even support that? Could Dehydrated? Just to be sure: I am talking about multiple domains in 1 certificate, not running multiple dehydrateds in parallel. HTTP challenges are super fast, so it doesn't matter there, but v2 wildcards only accept DNS challenges.

adam closed this issue

2025-12-29 01:20:40 +01:00

adam commented

2025-12-29 01:20:43 +01:00

@rudiedirkx commented on GitHub (Jan 7, 2018):

Hooks for 1 cert with 2 domains:

startup_hook
deploy_challenge
(validated by LE)
clean_challenge
deploy_challenge
(validated by LE)
clean_challenge
deploy_cert
exit_hook

2 and 6 have to take a long time, waiting for DNS, so 3 and 6 definitely find the records.

Between 1 and 2 I see

+ Requesting challenge for dns5.example.com...
+ Requesting challenge for dns6.example.com...

so it seems like Dehydrated knows all token values at once. A new hook (?) with all challenges at once would be awesome. I haven't looked at the code, my (ba)sh sucks.

@rudiedirkx commented on GitHub (Jan 7, 2018): Hooks for 1 cert with 2 domains: 1. startup_hook 2. deploy_challenge 3. (validated by LE) 4. clean_challenge 5. deploy_challenge 6. (validated by LE) 7. clean_challenge 8. deploy_cert 9. exit_hook 2 and 6 have to take a long time, waiting for DNS, so 3 and 6 definitely find the records. Between 1 and 2 I see ``` + Requesting challenge for dns5.example.com... + Requesting challenge for dns6.example.com... ``` so it seems like Dehydrated knows all token values at once. A new hook (?) with all challenges at once would be awesome. I haven't looked at the code, my (ba)sh sucks.

adam commented

2025-12-29 01:20:45 +01:00

@txr13 commented on GitHub (Jan 7, 2018):

You want to use HOOK_CHAIN=yes.

See https://github.com/lukas2511/dehydrated/blob/master/docs/hook_chain.md.

@txr13 commented on GitHub (Jan 7, 2018): You want to use `HOOK_CHAIN=yes`. See https://github.com/lukas2511/dehydrated/blob/master/docs/hook_chain.md.

adam commented

2025-12-29 01:20:45 +01:00

@rudiedirkx commented on GitHub (Jan 8, 2018):

Waaat? That exists too? With every single thing I learn about this repo, I love it more! I was all ready to get my bash on, and now I don't have to.

@rudiedirkx commented on GitHub (Jan 8, 2018): Waaat? That exists too? With every single thing I learn about this repo, I love it more! I was all ready to get my bash on, and now I don't have to.

adam referenced this issue

2025-12-29 01:26:53 +01:00

Sharing with the `ssl-cert` group #534

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#270