acme: prevent concurrent running of acme get

Issuing certificates concurrently should not be supported.

Signed-off-by: Glen Huang <i@glenhuang.com>

diff --git a/net/acme-common/files/acme.sh b/net/acme-common/files/acme.sh
index 1ed32af7e1a3222cc15e1200223ce3496ac486a2..141a2a2cf6e041af22b7e735928a020ce1fa43b7 100644 (file)
--- a/net/acme-common/files/acme.sh
+++ b/net/acme-common/files/acme.sh
@@ -11,7 +11,7 @@
 export state_dir=/etc/acme
 export account_email=
 export debug=0
-export challenge_dir='/var/run/acme/challenge'
+export run_dir=/var/run/acme
 NFT_HANDLE=
 HOOK=/usr/lib/acme/hook
 LOG_TAG=acme
@@ -23,6 +23,9 @@ LOG_TAG=acme
 
 cleanup() {
        log debug "cleaning up"
+       if [ -e $run_dir/lock ]; then
+               rm $run_dir/lock
+       fi
        if [ "$NFT_HANDLE" ]; then
                # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
                nft delete rule inet fw4 input $NFT_HANDLE
@@ -60,7 +63,7 @@ load_options() {
        config_get webroot "$section" webroot
        export webroot
        if [ "$webroot" ]; then
-               log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from /var/run/acme/challenge."
+               log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $run_dir/challenge."
        fi
 }
 
@@ -112,6 +115,15 @@ load_globals() {
        return 1
 }
 
+cmd_get() {
+       trap cleanup EXIT
+
+       config_load acme
+       config_foreach load_globals acme
+
+       config_foreach get_cert cert
+}
+
 usage() {
        cat <<EOF
 Usage: acme <command> [arguments]
@@ -128,11 +140,14 @@ fi
 
 case $1 in
 get)
-       config_load acme
-       config_foreach load_globals acme
-
-       trap cleanup EXIT
-       config_foreach get_cert cert
+       mkdir -p $run_dir
+       {
+               if ! flock -n 200; then
+                       log err "Another ACME instance is already running."
+                       exit 1
+               fi
+               cmd_get "$@"
+       } 200>$run_dir/lock
        ;;
 *)
        usage