Added option to run letsencrypt.sh without locks

This should only be used when letsencrypt.sh is under control by a different script which makes sure that no two processes are touching the same files.

Added option to run letsencrypt.sh without locks
This should only be used when letsencrypt.sh is under control by a different script which makes sure that no two processes are touching the same files.
bd9cc5b0 · Lukas Schauer · 194464b0 · bd9cc5b0 · bd9cc5b0 · bd9cc5b0
Commit bd9cc5b0 authored Jul 21, 2016 by Lukas Schauer
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 6 deletions

CHANGELOG CHANGELOG +1 -0

README.md README.md +1 -0

letsencrypt.sh letsencrypt.sh +14 -6

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -15,6 +15,7 @@ This file contains a log of major changes in letsencrypt.sh
 - Initial support for configuration on per-certificate base
 - Support for per-CA account keys and custom config for output cert directory, license, etc.
 - Added option to select IP version of name to address resolution
+- Added option to run letsencrypt.sh without locks

 ## Fixed
 - letsencrypt.sh no longer stores account keys from invalid registrations

--- a/README.md
+++ b/README.md
@@ -45,6 +45,7 @@ Parameters:
 --ipv6 (-6)                      Resolve names to IPv6 addresses only
 --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
 --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
 --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
 --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
 --config (-f) path/to/config     Use specified config file

--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -183,6 +183,7 @@ load_config() {
  [[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt"
  [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/letsencrypt"
  [[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
+  [[ -n "${PARAM_NO_LOCK:-}" ]] && LOCKFILE=""

  [[ -n "${PARAM_HOOK:-}" ]] && HOOK="${PARAM_HOOK}"
  [[ -n "${PARAM_CERTDIR:-}" ]] && CERTDIR="${PARAM_CERTDIR}"
@@ -200,11 +201,13 @@ init_system() {
  load_config

  # Lockfile handling (prevents concurrent access)
-  LOCKDIR="$(dirname "${LOCKFILE}")"
-  [[ -w "${LOCKDIR}" ]] || _exiterr "Directory ${LOCKDIR} for LOCKFILE ${LOCKFILE} is not writable, aborting."
-  ( set -C; date > "${LOCKFILE}" ) 2>/dev/null || _exiterr "Lock file '${LOCKFILE}' present, aborting."
-  remove_lock() { rm -f "${LOCKFILE}"; }
-  trap 'remove_lock' EXIT
+  if [[ -n "${LOCKFILE}" ]]; then
+    LOCKDIR="$(dirname "${LOCKFILE}")"
+    [[ -w "${LOCKDIR}" ]] || _exiterr "Directory ${LOCKDIR} for LOCKFILE ${LOCKFILE} is not writable, aborting."
+    ( set -C; date > "${LOCKFILE}" ) 2>/dev/null || _exiterr "Lock file '${LOCKFILE}' present, aborting."
+    remove_lock() { rm -f "${LOCKFILE}"; }
+    trap 'remove_lock' EXIT
+  fi

  # Get CA URLs
  CA_DIRECTORY="$(http_request get "${CA}")"
@@ -992,13 +995,18 @@ main() {
         fi
        ;;

-
      # PARAM_Usage: --force (-x)
      # PARAM_Description: Force renew of certificate even if it is longer valid than value in RENEW_DAYS
      --force|-x)
        PARAM_FORCE="yes"
        ;;

+      # PARAM_Usage: --no-lock (-n)
+      # PARAM_Description: Don't use lockfile (potentially dangerous!)
+      --no-lock|-n)
+        PARAM_NO_LOCK="yes"
+        ;;
+
      # PARAM_Usage: --ocsp
      # PARAM_Description: Sets option in CSR indicating OCSP stapling to be mandatory
      --ocsp)