Added option to run letsencrypt.sh without locks

This should only be used when letsencrypt.sh is under control by a
different script which makes sure that no two processes are touching the
same files.

diff --git a/CHANGELOG b/CHANGELOG
index f15cb698be77d1021e876f974d0708e4792c033a..fc7c87a0f19dfa4f922f1a00378edece35176537 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -15,6 +15,7 @@ This file contains a log of major changes in letsencrypt.sh
 - Initial support for configuration on per-certificate base
 - Support for per-CA account keys and custom config for output cert directory, license, etc.
 - Added option to select IP version of name to address resolution
+- Added option to run letsencrypt.sh without locks
 
 ## Fixed
 - letsencrypt.sh no longer stores account keys from invalid registrations

diff --git a/README.md b/README.md
index 9656daed5ca1db89af8437dc47aa900b110c5535..a6f7be8a89137081f737fa44326d5bb1ce2aadbb 100644 (file)
--- a/README.md
+++ b/README.md
@@ -45,6 +45,7 @@ Parameters:
  --ipv6 (-6)                      Resolve names to IPv6 addresses only
  --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
  --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
  --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
  --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
  --config (-f) path/to/config     Use specified config file

diff --git a/letsencrypt.sh b/letsencrypt.sh
index 65dd9da8f39de203c1fbd60acdd1db69d0bf7568..003d6f12b386def723ec4fef75b581d2d05937cb 100755 (executable)
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -183,6 +183,7 @@ load_config() {
   [[ -z "${DOMAINS_TXT}" ]] && DOMAINS_TXT="${BASEDIR}/domains.txt"
   [[ -z "${WELLKNOWN}" ]] && WELLKNOWN="/var/www/letsencrypt"
   [[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
+  [[ -n "${PARAM_NO_LOCK:-}" ]] && LOCKFILE=""
 
   [[ -n "${PARAM_HOOK:-}" ]] && HOOK="${PARAM_HOOK}"
   [[ -n "${PARAM_CERTDIR:-}" ]] && CERTDIR="${PARAM_CERTDIR}"
@@ -200,11 +201,13 @@ init_system() {
   load_config
 
   # Lockfile handling (prevents concurrent access)
-  LOCKDIR="$(dirname "${LOCKFILE}")"
-  [[ -w "${LOCKDIR}" ]] || _exiterr "Directory ${LOCKDIR} for LOCKFILE ${LOCKFILE} is not writable, aborting."
-  ( set -C; date > "${LOCKFILE}" ) 2>/dev/null || _exiterr "Lock file '${LOCKFILE}' present, aborting."
-  remove_lock() { rm -f "${LOCKFILE}"; }
-  trap 'remove_lock' EXIT
+  if [[ -n "${LOCKFILE}" ]]; then
+    LOCKDIR="$(dirname "${LOCKFILE}")"
+    [[ -w "${LOCKDIR}" ]] || _exiterr "Directory ${LOCKDIR} for LOCKFILE ${LOCKFILE} is not writable, aborting."
+    ( set -C; date > "${LOCKFILE}" ) 2>/dev/null || _exiterr "Lock file '${LOCKFILE}' present, aborting."
+    remove_lock() { rm -f "${LOCKFILE}"; }
+    trap 'remove_lock' EXIT
+  fi
 
   # Get CA URLs
   CA_DIRECTORY="$(http_request get "${CA}")"
@@ -992,13 +995,18 @@ main() {
          fi
         ;;
 
-
       # PARAM_Usage: --force (-x)
       # PARAM_Description: Force renew of certificate even if it is longer valid than value in RENEW_DAYS
       --force|-x)
         PARAM_FORCE="yes"
         ;;
 
+      # PARAM_Usage: --no-lock (-n)
+      # PARAM_Description: Don't use lockfile (potentially dangerous!)
+      --no-lock|-n)
+        PARAM_NO_LOCK="yes"
+        ;;
+
       # PARAM_Usage: --ocsp
       # PARAM_Description: Sets option in CSR indicating OCSP stapling to be mandatory
       --ocsp)