certbotd.sh

@@ -11,29 +11,29 @@ updated=/tmp/certbot.updated
 ensure() {
   test -n "$1" && echo "ok - $1 received, exiting gracefully..." >&2
 
-  if test -f "${updated}" ; then
-    rm -f "${updated}"
-
-    # Fix permissions, users in group ssl have read access
-    find /etc/letsencrypt -type d | xargs -r chmod 2750
-    find /etc/letsencrypt -type f | xargs -r chmod 640
-    chgrp -R ssl /etc/letsencrypt
-
-    if ! ${SINGLE_NODE:-false}; then
-      for NODE in ${NODES}; do
-        rsync -avHAXL --delete-after /etc/letsencrypt/live/ ${NODE}/ || continue
-      done
-    fi
-  fi
-
-  # Remove the lock after synchronization
   rm -f "${lock}"
 
-  # Exit with the error code
-  exit $1
+  test -f "${updated}" || exit 0
+
+  rm -f "${updated}"
+
+  # Fix permissions, users in group ssl have read access
+  find /etc/letsencrypt -type d | xargs -r chmod 2750
+  find /etc/letsencrypt -type f | xargs -r chmod 640
+  chgrp -R ssl /etc/letsencrypt
+
+  ${SINGLE_NODE:-false} && exit 0
+
+  # Push certificates to nodes, we use SSH as a secure transport
+  # but this means we're synchronizing from container to host which is
+  # awkward.  A restricted rsync treats / as the remote location for the
+  # certificates.
+  for NODE in ${NODES}; do
+    rsync -avHAXL --delete-after /etc/letsencrypt/live/ ${NODE}/ || continue
+  done
 }
 
-for SIG in 1 2 3 6 9 14 15; do
+for SIG in TERM QUIT INT HUP; do
   trap "ensure ${SIG}" ${SIG}
 done
 
@@ -92,7 +92,7 @@ case $1 in
       | jq --raw-output .[] \
       | while read domain; do
           # Skip already existing domains
-          if test -f "/etc/letsencrypt/renewal/${domain}.conf"; then
+          if test -d "/etc/letsencrypt/renewal/${domain}.conf"
             echo "ok - ${domain} already issued" >&2
             continue
           fi
@@ -115,4 +115,4 @@ case $1 in
         done
 esac
 
-ensure 0
+ensure