Optimize gateway startup and service update time (#2153)

Avoid running certbot if the certificate exists.
This greatly reduces the gateway startup time when
many services or entrypoints are being
re-registered. Running certbot can take 3-4
seconds, even if the certificate already exists
and there is nothing to do.

Certificate renewal is not an issue as it is done
by certbot's built-in systemd timer.

Author: jvstme

src/dstack/_internal/proxy/gateway/services/nginx.py

@@ -105,8 +105,11 @@ def write_conf(self, conf: str, conf_name: str) -> None:
                 sudo_rm(conf_path)
             raise
 
-    @staticmethod
-    def run_certbot(domain: str, acme: ACMESettings) -> None:
+    @classmethod
+    def run_certbot(cls, domain: str, acme: ACMESettings) -> None:
+        if cls.certificate_exists(domain):
+            return
+
         logger.info("Running certbot for %s", domain)
 
         cmd = ["sudo", "timeout", "--kill-after", str(CERTBOT_2ND_TIMEOUT), str(CERTBOT_TIMEOUT)]
@@ -134,6 +137,11 @@ def run_certbot(domain: str, acme: ACMESettings) -> None:
         if r.returncode != 0:
             raise ProxyError(f"Error obtaining {domain} TLS certificate:\n{r.stderr.decode()}")
 
+    @staticmethod
+    def certificate_exists(domain: str) -> bool:
+        cmd = ["sudo", "test", "-e", f"/etc/letsencrypt/live/{domain}/fullchain.pem"]
+        return subprocess.run(cmd, timeout=2).returncode == 0
+
     @staticmethod
     def get_config_name(domain: str) -> str:
         return f"443-{domain}.conf"