BUG/MEDIUM: Delete the challenge token only after auth is finished.

Adis Nezirovic · Adis Nezirovic · commit 45a50e4a84e7 · 2018-06-27T17:04:03.000+02:00
diff --git a/acme.lua b/acme.lua
@@ -320,6 +320,7 @@ local function new_order(applet)
     end
 
     local order_json = order:json()
+    local challenge_token
 
     for _, auth in ipairs(order_json.authorizations) do
         --
@@ -339,13 +340,18 @@ local function new_order(applet)
                         ch.token, acme.account.thumbprint)
                     resp, err = acme:post{url=ch.url, data=ch,
                                           resource="challengeDone", timeout=1}
+                    challenge_token = ch.token
+                    break
                 end
             end
         end
     end
 
     -- TODO: Check pending status in a loop
     core.sleep(5)
+    if challenge_token and http_challenges[challenge_token] then
+        http_challenges[challenge_token] = nil
+    end
 
     -- CSR creation
     local dn = openssl.name.new()
@@ -390,10 +396,9 @@ end
 local function acme_challenge(applet)
     local p = core.tokenize(applet.path, "/", true)
     if not p[3] or not http_challenges[p[3]] then
-        http.response.create{status_code=404}:send(applet)
+        return http.response.create{status_code=404}:send(applet)
     end
     http.response.create{status_code=200, content=http_challenges[p[3]]}:send(applet)
-    http_challenges[p[3]] = nil
 end
 
 --- Request handler/router
