Avoid race condition when renewing certificates

deric · deric · commit 40e6fb737cf8 · 2023-03-31T11:07:16.000+02:00
Only single certificate can be processed at the same time. Make sure to
obtain exclusive lock before executing renewal command.
diff --git a/files/certbot_lock.sh b/files/certbot_lock.sh
@@ -0,0 +1,14 @@
+# Managed by Puppet
+LOCKFILE="/var/lock/certbot"
+LOCKFD=99
+# private
+function _lock()          { flock "$@" $LOCKFD; }
+function _release_lock()  { _lock -u; _lock -xn && rm -f $LOCKFILE; }
+function _prepare_lock()  { eval "exec $LOCKFD>\"$LOCKFILE\""; trap _release_lock EXIT; }
+
+# on start
+_prepare_lock
+
+# public
+function exlock()         { _lock -x --timeout 30; }   # obtain an exclusive lock
+function unlock()         { _lock -u; }                # drop a lock
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -92,6 +92,12 @@
 
   contain letsencrypt::renew
 
+  file { '/usr/share/certbot_lock.sh':
+    ensure  => file,
+    mode    => '0544',
+    content => file("${module_name}/certbot_lock.sh"),
+  }
+
   $certificates.each |$certificate, $properties| {
     letsencrypt::certonly { $certificate: * => $properties }
   }
diff --git a/templates/renew-script.sh.erb b/templates/renew-script.sh.erb
@@ -2,4 +2,9 @@
 <%- @environment.each do |environment| -%>
 export <%= environment %>
 <%- end -%>
+if [ -f '/usr/share/certbot_lock.sh' ]; then
+  . '/usr/share/misc/certbot_lock.sh'
+fi
+exlock
 <%= @cron_cmd %>
+unlock
