acme: prevent concurrent running of acme get

Issuing certificates concurrently should not be supported.

Signed-off-by: Glen Huang <i@glenhuang.com>

net/acme-common/files/acme.sh

@@ -11,7 +11,7 @@
 export state_dir=/etc/acme
 export account_email=
 export debug=0
-export challenge_dir='/var/run/acme/challenge'
+export run_dir=/var/run/acme
 NFT_HANDLE=
 HOOK=/usr/lib/acme/hook
 LOG_TAG=acme
@@ -23,6 +23,9 @@ LOG_TAG=acme
 
 cleanup() {
 	log debug "cleaning up"
+	if [ -e $run_dir/lock ]; then
+		rm $run_dir/lock
+	fi
 	if [ "$NFT_HANDLE" ]; then
 		# $NFT_HANDLE contains the string 'handle XX' so pass it unquoted to nft
 		nft delete rule inet fw4 input $NFT_HANDLE
@@ -60,7 +63,7 @@ load_options() {
 	config_get webroot "$section" webroot
 	export webroot
 	if [ "$webroot" ]; then
-		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from /var/run/acme/challenge."
+		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $run_dir/challenge."
 	fi
 }
 
@@ -112,6 +115,15 @@ load_globals() {
 	return 1
 }
 
+cmd_get() {
+	trap cleanup EXIT
+
+	config_load acme
+	config_foreach load_globals acme
+
+	config_foreach get_cert cert
+}
+
 usage() {
 	cat <<EOF
 Usage: acme <command> [arguments]
@@ -128,11 +140,14 @@ fi
 
 case $1 in
 get)
-	config_load acme
+	mkdir -p $run_dir
-	config_foreach load_globals acme
+	{
-
+		if ! flock -n 200; then
-	trap cleanup EXIT
+			log err "Another ACME instance is already running."
-	config_foreach get_cert cert
+			exit 1
+		fi
+		cmd_get "$@"
+	} 200>$run_dir/lock
 	;;
 *)
 	usage