From 75f79bcef525f164865a6129c19baea9798651f3 Mon Sep 17 00:00:00 2001
From: Rodolphe Breard <rodolphe@what.tf>
Date: Sat, 25 May 2019 23:08:40 +0200
Subject: [PATCH] Clean the hooks right after the current challenge has been
 validated Cleaning hooks after the certificate has been retrieved is a
 mistake since a failure somewhere in the process will prevent all called hook
 to be cleaned. With the current implementation, only the currently failed
 hook is left without being cleaned.

---
 CHANGELOG.md            | 3 +++
 acmed/src/acme_proto.rs | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 21c8bb9..c8eeb16 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Hooks now have the optional `allow_failure` field.
 
+### Changed
+- Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
+
 ### Fixed
 - The http-01-echo hook now correctly sets the file's access rights
 
diff --git a/acmed/src/acme_proto.rs b/acmed/src/acme_proto.rs
index d989b26..3c9a64f 100644
--- a/acmed/src/acme_proto.rs
+++ b/acmed/src/acme_proto.rs
@@ -142,6 +142,10 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result<
         let (_, new_nonce): (Authorization, String) =
             http::pool_obj(root_certs, &auth_url, &data_builder, &break_fn, &nonce)?;
         nonce = new_nonce;
+        for (data, hook_type) in hook_datas.iter() {
+            cert.call_challenge_hooks_clean(&data, (*hook_type).to_owned())?;
+        }
+        hook_datas.clear();
     }
 
     // 10. Pool the order in order to see whether or not it is ready
@@ -174,10 +178,6 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result<
     let (crt, _) = http::get_certificate(root_certs, &crt_url, &data_builder, &nonce)?;
     storage::write_certificate(cert, &crt.as_bytes())?;
 
-    for (data, hook_type) in hook_datas.iter() {
-        cert.call_challenge_hooks_clean(&data, (*hook_type).to_owned())?;
-    }
-
     info!("Certificate renewed for {}", domains.join(", "));
     Ok(())
 }