try to sign cert at most 4 times per hour

software/autocert/buildout.hash.cfg

@@ -15,12 +15,16 @@
 
 [template-instance]
 filename = instance.cfg.in
-md5sum = 9f90a93264649539688aba42de8f3fb8
+md5sum = e6364323aeb46eeaf1eb18a8c8467c82
 
 [template-autocert]
 filename = instance-autocert.cfg.jinja2.in
-md5sum = 4548acbdf256a6e0a62c11580cc32b94
+md5sum = a9bf562a4c6359931aceec75c36eec3c
 
 [template-dehydrated-config]
 filename = config.in
 md5sum = a12b0e12658a48658e366f3ed7c2e48e
+
+[template-sign-certificate.sh]
+filename = sign-certificate.sh.in
+md5sum = 3b16d126cf720152cc42e2a712ec734a

software/autocert/instance-autocert.cfg.jinja2.in

@@ -67,12 +67,14 @@ name = dehydrated-renew
 frequency = 0 0 * * 0
 command = {{ linux_util_location }}/bin/flock ${directory:dehydrated}/lock ${dehydrated-wrapper:wrapper-path} --cron --keep-going --no-lock
 
-[dehydrated-signcert]
-<= base-wrapper
-command-line = ${cron-entry-dehydrated:command}
-wrapper-path = ${directory:scripts}/dehydrated-signcert
-depends =
-  ${dehydrated-domains.txt:recipe}
+# Sign certificate for the first time, only try 4 times per hour to not exceed the limit
+# https://letsencrypt.org/docs/failed-validation-limit/
+[cron-entry-dehydrated-signcert]
+<= cron
+recipe = slapos.cookbook:cron.d
+name = dehydrated-sign
+frequency = 0/20 * * * *
+command = ${dehydrated-signcert:output}
 
 [dehydrated-wrapper]
 <= base-wrapper
@@ -80,6 +82,8 @@ command-line =
   {{ parameter_dict['dehydrated-location'] }}/dehydrated
   --config ${dehydrated-config:output}
 wrapper-path = ${directory:bin}/dehydrated
+depends =
+  ${dehydrated-domains.txt:recipe}
 
 [caucase-updater]
 recipe = slapos.cookbook:wrapper
@@ -135,6 +139,18 @@ name = upload-{{ domain }}
 frequency = 0 0 * * 0
 command = {{ "${kedifa-upload-" ~ domain ~ ":wrapper-path}" }}
 
+[dehydrated-signcert]
+recipe = slapos.recipe.template:jinja2
+url = {{ parameter_dict['template-signcert'] }}
+output = ${directory:bin}/dehydrated-signcert
+domain-list = {{ dumps(domain_list) }}
+context =
+  key base_directory            directory:dehydrated
+  key dehydrated_wrapper        dehydrated-wrapper:wrapper-path
+  key domain_list               :domain-list
+  raw flock_bin                 {{ linux_util_location }}/bin/flock
+mode = 755
+
 [promise-{{ domain }}]
 recipe = slapos.recipe.template:jinja2
 inline =
@@ -215,7 +231,7 @@ parts =
   httpd-listen-promise
   httpd-url-promise
   dehydrated-register
-  dehydrated-signcert
+  cron-entry-dehydrated-signcert
 
 # Complete parts with sections
   {{ part_list | join('\n  ') }}

software/autocert/instance.cfg.in

@@ -45,6 +45,7 @@ context =
 dehydrated-location = {{ dehydrated_location }}
 kedifa-location = {{ kedifa_location }}
 template-config = {{ template_dehydrated_config }}
+template-signcert = {{ template_signcert }}
 
 [dynamic-template-autocert]
 <= jinja2-template-base

software/autocert/sign-certificate.sh.in

+#!/bin/sh
+
+# Sign a single certificate for the first time (if not exists yet)
+BASE_DIR={{ base_directory }}
+
+sign_cert() {
+  BASE_DOMAIN=$1
+  DOMAINS=$2
+  if [ -s "$BASE_DIR/certs/$BASE_DOMAIN/fullchain.pem" ]; then
+    exit 0;
+  fi
+  {{ flock_bin }} -n $BASE_DIR/lock {{ dehydrated_wrapper }} --cron --no-lock --domain "$DOMAINS"
+}
+
+{% for domain_string in domain_list -%}
+sign_cert {{ domain_string.split(' ')[0] }} "{{ domain_string }}"
+{% endfor -%}

software/autocert/software.cfg

@@ -65,6 +65,7 @@ context =
     key template_monitor_cfg monitor2-template:output
     key template_autocert template-autocert:target
     key template_dehydrated_config template-dehydrated-config:target
+    key template_signcert template-sign-certificate.sh:target
 
 [template-autocert]
 <= download-template
@@ -73,6 +74,9 @@ output = ${buildout:directory}/instance-autocert.cfg.jinja2
 [template-dehydrated-config]
 <= download-template
 
+[template-sign-certificate.sh]
+<= download-template
+
 [versions]
 caucase = 0.9.15
 kedifa = 0.0.6