From d32a39acfc874df2178eb6a9c475038b3634f5c7 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 8 Mar 2022 14:40:02 -0300 Subject: [PATCH] there can only be one --- certbot.sh | 44 ++++++++++++++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 12 deletions(-) diff --git a/certbot.sh b/certbot.sh index 6f1b905..be27bbe 100755 --- a/certbot.sh +++ b/certbot.sh @@ -1,5 +1,32 @@ #!/bin/sh +lock=/tmp/certbot.lck + +ensure() { + test -n "$1" && echo "$1 received, exiting gracefully..." + + rm -f "${lock}" + + # Fix permissions, users in group ssl have read access + find /etc/letsencrypt -type d | xargs -r chmod 2750 + find /etc/letsencrypt -type f | xargs -r chmod 640 + chgrp -R ssl /etc/letsencrypt + + # Push certificates to nodes, we use SSH as a secure transport + # but this means we're synchronizing from container to host which is + # awkward. A restricted rsync treats / as the remote location for the + # certificates. + for NODE in ${NODES}; do + rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/ + done +} + +for SIG in TERM QUIT INT HUP ERR; do + trap "ensure ${SIG}" ${SIG} +done + +set -e + case $1 in # Renew certificates, trust in certbot's algorithms renew) /usr/bin/certbot renew --quiet --agree-tos ;; @@ -20,6 +47,10 @@ case $1 in done ;; # Generate certificates *) + # Only one instance can run at a time + test -f "${lock}" && exit 0 + touch "${lock}" + # Save headers here headers=/tmp/headers # Gets ETag from previous headers @@ -50,15 +81,4 @@ case $1 in done esac -# Fix permissions, users in group ssl have read access -find /etc/letsencrypt -type d | xargs -r chmod 2750 -find /etc/letsencrypt -type f | xargs -r chmod 640 -chgrp -R ssl /etc/letsencrypt - -# Push certificates to nodes, we use SSH as a secure transport -# but this means we're synchronizing from container to host which is -# awkward. A restricted rsync treats / as the remote location for the -# certificates. -for NODE in ${NODES}; do - rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/ -done +ensure