Apache2 with letsencrypt is very slow

apache-2.4http2lets-encrypt

I have a problem with my server configurations,
My site works great with http requests, but when I changed it to https using letsencrypt certificate – to enable http2 – the server became really slow.
a normal request with http will take from 4 to 7 seconds, but when using https most requests (90%) take up to 45 seconds.
I have the latest stable version of apache and I've followed the official docs for installing letsencrypt.

I have been searching for a solution for almost a week, but with no luck, how can this be fixed?

Best Answer

1) Implementing SSL/TLS will naturally have extra latency. This is because the secure communication needs to be negotiated first. So HTTP is faster than HTTPS. But this should normally not cause your 4-7 seconds load time to go as high as 45 seconds.

2) This is not a Let's Encrypt issue. They just provide you with the certificate, like any other CAs out there. Their certificates do not take more time than others to load or negotiate.

3) Check if you have optimized your system already to use SSL/TLS. I suggest you just use 2048 bit keys rather than 4096 bit. All 2048 bit keys are considered safe as per industry standards and 4096 bit would only cost you more processing resources and time. But still, even with 4096 bit, that would not cost your load time to go up to 45 seconds.

You can also refer to Mozilla for some updated SSL directives and Ciphers.

Lastly, consider checking your VirtualHost and SSL configurations /etc/apache2/mods-enabled/ssl.conf. The issue is not directly with your certificate.

Related Solutions

Debian Jessie Nginx with OpenSSL 1.0.2 – Using ALPN Instead of NPN

Update 2016/08/08: nginx in jessie-backports (version 1.9.10-1~bpo8+3 was built against openssl >= 1.0.2~. Getting ALPN working now if running jessie just requires the packages out of jessie-backports, no need anymore to pull packages out of stretch.

Original answer: Well, here goes my answer, according to the comments: In my opinion, there aren't that many ways to solve this as of today, 2016/05/09. Basically you've to try somehow to get a modern nginx into your system, compiled against >= openssl 1.0.2~.

The only two options I see currently: Either you compile for yourself, which you don't want to do, which is quite understandable, or you pull in modern packages out of Debian stretch into your system. This involves some risks, because you're mixing a stable environment with another one, but in my opinion these risks are quite low, because you're using Debian.

So, let's go and try out this:

Add the Debian stretch repository to your apt sources. Don't use /etc/apt/sources.list for this, but instead use a dedicated file inside /etc/apt/sources.list.d/ to keep it clean, personally I'm using stretch.list.

Put these lines inside there:

deb http://httpredir.debian.org/debian/ stretch main contrib non-free
deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free

# stretch-updates, previously known as 'volatile'
deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free

Set up apt pinning to make sure you only pull in packages out of Debian stretch which you're specifying. The file to use for this is /etc/apt/preferences, inside there, put:
```
Package: *
Pin: release n=jessie
Pin-Priority: 900

Package: * 
Pin: release a=jessie-backports
Pin-Priority: 500

Package: *
Pin: release n=stretch
Pin-Priority: 100
```
(You might have to alter the suites and priorities to fit your environment.)
Run apt-get update (via sudo / as root) to update the package cache.
Install nginx from Debian stretch: apt-get install -t stretch nginx (do this via sudo / as root). Profit!
As I described in my comment(s), to even lower the risks involved, you could use something like a chroot or a container-solution like LXC. In case you want to go the chroot way, you have to set up a network interface inside there: To do this, have a look at this blogpost for example, which gives an introduction to network namespaces.
Hope this helps; in case you've got more question, feel free to contact me. I would appreciate feedback and I'm interested in how it goes.

Ssl – How to build Apache httpd 2.4.20 on CentOS 7 with http2 support

I notice you are using this cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

However that cipher is black listed for HTTP/2: https://www.rfc-editor.org/rfc/rfc7540

And by default mod_http2 will not allow you to negotiate with blacklisted ciphers: https://httpd.apache.org/docs/2.4/mod/mod_http2.html#h2moderntlsonly

So I wonder if that is the only problem and you just need to enable more modern cipher suites? Specifically a ECDHE with GCM rather than CBC suite like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA25. You could always turn above flag off for your curl test but Chrome similarly uses this blacklist so you'll need to enable other ciphers anyway (and why wouldn't you want to since you've gone through the hassle of upgrading your openssl for this).

If that's not the issue then you could check out the step by step instructions I give here on how to build from source: https://www.tunetheweb.com/performance/http2/. I use Centos 7 and these steps work for me.

Best Answer

Related Solutions

Debian Jessie Nginx with OpenSSL 1.0.2 – Using ALPN Instead of NPN

Ssl – How to build Apache httpd 2.4.20 on CentOS 7 with http2 support

Related Topic