Distribute certificate renewal time over the day

[MarcelWaldvogel]

Right now, all certificates of all https-portal instances worldwide are renewed at 07:42 sharp (UTC). This is bad for our friends at Let's Encrypt that provide that great service, as it causes peaks, potentially massive as https-portal gains traction.

Therefore, it seems necessary to distribute the renewal process over time. Two options come to mind, apart from switching to systemd 😉:

1. Randomize the cron job starting time when installing /etc/crontab.
   • Will require patching the cron file when the local container starts up, not at image creation time
   • Will still concentrate the to the beginning of the minutes
2. Wait a number of seconds (and possibly fractions thereof) when running /bin/renew_certs
   • Will cause processes to hang around, sleeping
   • Only a small portion of the day will be used, assuming less than 86400 seconds of random delay

I do recommend combining both strategies:

1. Instead of installing /etc/crontab, /etc/crontab.template is installed, with the renewal line marked somehow and the system-provided /etc/crontab removed
2. As part of the cron startup (/etc/services.d/020-cron/run), /etc/crontab.template is transformed into /etc/crontab (if that is missing), with the renewal time randomized between 00:00 and 23:59
3. /bin/renew_certs performs a sleep(Random.rand(60.0)) first (assuming it is only ever called from cron, otherwise a command line parameter would be necessary to enable this)

If you think this is the way to go, I'll happily provide a PR to that effect.

BTW: It is also questionable whether 03:45 UTC is a good time to rotate logs for everyone in the world. But I do not think that there is an urgent need to change this right now.

[SteveLTN]

Thank you for noticing this! I'd be glad to accept any PRs regarding this. This is indeed a problem when I think about it now. When I started the project I intended it for personal use and didn't expect it to become so popular at all.

I agree with your solution in general. Just a few tips:

Currently all templates are created in Ruby's erb format, such as nginx.conf.erb. You can easily render the templates using the helper class ERBBinding. Check this.

The certs_manager#setup is run before s6-overlay starting main Nginx process and crond, so it would be a perfect place for generating /etc/crontab.

Feel free to ask any questions. And if you feel tired at any point, feel free to submit anything you have and I can take over.