From 035cc09e7f2b3619adce079ee266ad354f32e53b Mon Sep 17 00:00:00 2001 From: Glen Huang Date: Sat, 22 Oct 2022 21:46:51 +0800 Subject: [PATCH] acme: prevent concurrent running of acme get Issuing certificates concurrently should not be supported. Signed-off-by: Glen Huang --- net/acme-common/files/acme.sh | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/net/acme-common/files/acme.sh b/net/acme-common/files/acme.sh index 1ed32af7e1..141a2a2cf6 100644 --- a/net/acme-common/files/acme.sh +++ b/net/acme-common/files/acme.sh @@ -11,7 +11,7 @@ export state_dir=/etc/acme export account_email= export debug=0 -export challenge_dir='/var/run/acme/challenge' +export run_dir=/var/run/acme NFT_HANDLE= HOOK=/usr/lib/acme/hook LOG_TAG=acme @@ -23,6 +23,9 @@ LOG_TAG=acme cleanup() { log debug "cleaning up" + if [ -e $run_dir/lock ]; then + rm $run_dir/lock + fi if [ "$NFT_HANDLE" ]; then # $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft nft delete rule inet fw4 input $NFT_HANDLE @@ -60,7 +63,7 @@ load_options() { config_get webroot "$section" webroot export webroot if [ "$webroot" ]; then - log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from /var/run/acme/challenge." + log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $run_dir/challenge." fi } @@ -112,6 +115,15 @@ load_globals() { return 1 } +cmd_get() { + trap cleanup EXIT + + config_load acme + config_foreach load_globals acme + + config_foreach get_cert cert +} + usage() { cat < [arguments] @@ -128,11 +140,14 @@ fi case $1 in get) - config_load acme - config_foreach load_globals acme - - trap cleanup EXIT - config_foreach get_cert cert + mkdir -p $run_dir + { + if ! flock -n 200; then + log err "Another ACME instance is already running." + exit 1 + fi + cmd_get "$@" + } 200>$run_dir/lock ;; *) usage -- 2.30.2