diff --git a/certbot.sh b/certbot.sh
index 6f1b905..be27bbe 100755
--- a/certbot.sh
+++ b/certbot.sh
@@ -1,5 +1,32 @@
 #!/bin/sh
 
+lock=/tmp/certbot.lck
+
+ensure() {
+  test -n "$1" && echo "$1 received, exiting gracefully..."
+
+  rm -f "${lock}"
+
+  # Fix permissions, users in group ssl have read access
+  find /etc/letsencrypt -type d | xargs -r chmod 2750
+  find /etc/letsencrypt -type f | xargs -r chmod 640
+  chgrp -R ssl /etc/letsencrypt
+
+  # Push certificates to nodes, we use SSH as a secure transport
+  # but this means we're synchronizing from container to host which is
+  # awkward.  A restricted rsync treats / as the remote location for the
+  # certificates.
+  for NODE in ${NODES}; do
+    rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/
+  done
+}
+
+for SIG in TERM QUIT INT HUP ERR; do
+  trap "ensure ${SIG}" ${SIG}
+done
+
+set -e
+
 case $1 in
   # Renew certificates, trust in certbot's algorithms
   renew) /usr/bin/certbot renew --quiet --agree-tos ;;
@@ -20,6 +47,10 @@ case $1 in
     done ;;
   # Generate certificates
   *)
+    # Only one instance can run at a time
+    test -f "${lock}" && exit 0
+    touch "${lock}"
+
     # Save headers here
     headers=/tmp/headers
     # Gets ETag from previous headers
@@ -50,15 +81,4 @@ case $1 in
         done
 esac
 
-# Fix permissions, users in group ssl have read access
-find /etc/letsencrypt -type d | xargs -r chmod 2750
-find /etc/letsencrypt -type f | xargs -r chmod 640
-chgrp -R ssl /etc/letsencrypt
-
-# Push certificates to nodes, we use SSH as a secure transport
-# but this means we're synchronizing from container to host which is
-# awkward.  A restricted rsync treats / as the remote location for the
-# certificates.
-for NODE in ${NODES}; do
-  rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/
-done
+ensure