Clean the hooks right after the current challenge has been validated

Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago · 75f79bcef5
2 changed files with 7 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -18,6 +18,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Hooks now have the optional `allow_failure` field.

+### Changed
+- Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
+
 ### Fixed
 - The http-01-echo hook now correctly sets the file's access rights

--- a/acmed/src/acme_proto.rs
+++ b/acmed/src/acme_proto.rs
@ -142,6 +142,10 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result<
        let (_, new_nonce): (Authorization, String) =
            http::pool_obj(root_certs, &auth_url, &data_builder, &break_fn, &nonce)?;
        nonce = new_nonce;
+        for (data, hook_type) in hook_datas.iter() {
+            cert.call_challenge_hooks_clean(&data, (*hook_type).to_owned())?;
+        }
+        hook_datas.clear();
    }

    // 10. Pool the order in order to see whether or not it is ready
@ -174,10 +178,6 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result<
    let (crt, _) = http::get_certificate(root_certs, &crt_url, &data_builder, &nonce)?;
    storage::write_certificate(cert, &crt.as_bytes())?;

-    for (data, hook_type) in hook_datas.iter() {
-        cert.call_challenge_hooks_clean(&data, (*hook_type).to_owned())?;
-    }
-
    info!("Certificate renewed for {}", domains.join(", "));
    Ok(())
 }