Improve performance of unless

Turns out, that calling certbot for every certificate resources takes
ages on systems with a lot of certificates. Some comparison:

certbot: ~0.7s
openssl: ~0.01s

manifests/certonly.pp

@@ -91,12 +91,13 @@
   $live_path = "${config_dir}/live/${domains[0]}/cert.pem"
 
   $execution_environment = [ "VENV_PATH=${letsencrypt::venv_path}", ] + $environment
-  $verify_domains = join($domains, ' -d ')
+  $verify_domains = join(unique($domains), ' ')
   exec { "letsencrypt certonly ${title}":
     command     => $command,
     path        => $::path,
     environment => $execution_environment,
-    unless      => "test -f ${live_path} && ${letsencrypt_command} certificates --cert-name ${title} -d ${verify_domains} | grep -q 'Certificate Path'",
+    onlyif      => "test -f ${live_path} && ( openssl x509 -in ${live_path} -text -noout | grep -oE 'DNS:[^\s,]*' | sed 's/^DNS://g;'; echo '${verify_domains}' | tr ' ' '\\n') | sort | uniq -c | grep -qv '^[ \t]*2[ \t]'",
+    provider    => 'shell',
     require     => Class['letsencrypt'],
   }
 

spec/defines/letsencrypt_certonly_spec.rb

@@ -10,8 +10,7 @@
         let(:title) { 'foo.example.com' }
 
         it { is_expected.to contain_exec('letsencrypt certonly foo.example.com') }
-        it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_unless "test -f /etc/letsencrypt/live/foo.example.com/cert.pem && letsencrypt certificates --cert-name foo.example.com -d foo.example.com | grep -q 'Certificate Path'" }
-        it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_command 'letsencrypt --text --agree-tos --non-interactive certonly -a standalone --cert-name foo.example.com -d foo.example.com' }
+        it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_onlyif "test -f /etc/letsencrypt/live/foo.example.com/cert.pem && ( openssl x509 -in /etc/letsencrypt/live/foo.example.com/cert.pem -text -noout | grep -oE 'DNS:[^ ,]*' | sed 's/^DNS://g;'; echo 'foo.example.com' | tr ' ' '\\n') | sort | uniq -c | grep -qv '^[ \t]*2[ \t]'" }
       end
 
       context 'with multiple domains' do
@@ -277,7 +276,7 @@
         let(:title) { 'foo.example.com' }
         let(:pre_condition) { "class { letsencrypt: email => 'foo@example.com', config_dir => '/foo/bar/baz', package_command => 'letsencrypt'}" }
 
-        it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with(unless: "test -f /foo/bar/baz/live/foo.example.com/cert.pem && letsencrypt certificates --cert-name foo.example.com -d foo.example.com | grep -q 'Certificate Path'") }
+        it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_onlyif "test -f /foo/bar/baz/live/foo.example.com/cert.pem && ( openssl x509 -in /foo/bar/baz/live/foo.example.com/cert.pem -text -noout | grep -oE 'DNS:[^ ,]*' | sed 's/^DNS://g;'; echo 'foo.example.com' | tr ' ' '\\n') | sort | uniq -c | grep -qv '^[ \t]*2[ \t]'" }
       end
     end
   end
@@ -287,6 +286,7 @@
     let(:facts) { { osfamily: 'FreeBSD', operatingsystem: 'FreeBSD', operatingsystemrelease: '10.3-RELEASE-p7', operatingsystemmajrelease: '10', path: '/usr/bin' } }
     let(:pre_condition) { "class { letsencrypt: email => 'foo@example.com'}" }
 
-    it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with(unless: "test -f /usr/local/etc/letsencrypt/live/foo.example.com/cert.pem && certbot certificates --cert-name foo.example.com -d foo.example.com | grep -q 'Certificate Path'", command: %r{^certbot}) }
+    it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_command %r{^certbot} }
+    it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_onlyif "test -f /usr/local/etc/letsencrypt/live/foo.example.com/cert.pem && ( openssl x509 -in /usr/local/etc/letsencrypt/live/foo.example.com/cert.pem -text -noout | grep -oE 'DNS:[^ ,]*' | sed 's/^DNS://g;'; echo 'foo.example.com' | tr ' ' '\\n') | sort | uniq -c | grep -qv '^[ \t]*2[ \t]'" }
   end
 end