certon 0.1.3

Automatic HTTPS/TLS certificate management via the ACME protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

//! HTTP-01 challenge with a simple TCP server.
//!
//! This example demonstrates setting up an HTTP-01 challenge solver to obtain
//! a certificate from Let's Encrypt (staging), then serving HTTPS on port 443
//! with tokio-rustls. The HTTP-01 solver runs a lightweight HTTP server on
//! port 80 to respond to the CA's validation requests.
//!
//! In production you would use port 80 for the challenge server and port 443
//! for your HTTPS application. Make sure both ports are open and DNS for
//! your domain points to this server.
//!
//! Usage: cargo run --example http01_challenge

use std::sync::Arc;

use certon::{
    AcmeIssuer, CertResolver, Config, FileStorage, Http01Solver, KeyType, LETS_ENCRYPT_STAGING,
    Result, Storage,
};
use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::net::TcpListener;
use tokio_rustls::TlsAcceptor;

#[tokio::main]
async fn main() -> Result<()> {
    tracing_subscriber::fmt::init();

    // -- Storage ---------------------------------------------------------------
    let storage: Arc<dyn Storage> = Arc::new(FileStorage::new("/tmp/certon-http01"));

    // -- HTTP-01 solver --------------------------------------------------------
    // The HTTP-01 solver listens on port 80 and serves the ACME challenge token
    // at /.well-known/acme-challenge/{token}. The CA will make an HTTP request
    // to this endpoint to verify domain ownership.
    let http01_solver = Arc::new(Http01Solver::new(80));

    // -- ACME Issuer -----------------------------------------------------------
    // Using Let's Encrypt staging to avoid rate limits during testing.
    // Switch to LETS_ENCRYPT_PRODUCTION for real certificates.
    let issuer = AcmeIssuer::builder()
        .ca(LETS_ENCRYPT_STAGING)
        .email("admin@example.com")
        .agreed(true)
        .storage(storage.clone())
        .http01_solver(http01_solver)
        // Disable TLS-ALPN-01 since we are using HTTP-01
        .disable_tlsalpn_challenge(true)
        .build();

    // -- Config ----------------------------------------------------------------
    let config = Config::builder()
        .storage(storage)
        .issuers(vec![Arc::new(issuer)])
        .key_type(KeyType::EcdsaP256)
        .build();

    // -- Obtain certificates ---------------------------------------------------
    let domains = vec!["example.com".into()];
    println!(
        "Obtaining certificate for {:?} via HTTP-01 challenge...",
        domains
    );
    config.manage_sync(&domains).await?;
    println!("Certificate obtained successfully!");

    // -- Build the TLS config --------------------------------------------------
    let resolver = CertResolver::new(config.cache.clone());
    let tls_config = rustls::ServerConfig::builder()
        .with_no_client_auth()
        .with_cert_resolver(Arc::new(resolver));

    // -- Start HTTPS server on port 443 ----------------------------------------
    let acceptor = TlsAcceptor::from(Arc::new(tls_config));
    let listener = TcpListener::bind("0.0.0.0:443")
        .await
        .map_err(|e| certon::Error::Other(format!("failed to bind HTTPS listener: {e}")))?;

    println!("HTTPS server listening on 0.0.0.0:443");

    // Start background maintenance for certificate renewal.
    let _maintenance = certon::start_maintenance(&config);

    loop {
        let (stream, peer_addr) = listener
            .accept()
            .await
            .map_err(|e| certon::Error::Other(format!("accept error: {e}")))?;

        let acceptor = acceptor.clone();
        tokio::spawn(async move {
            match acceptor.accept(stream).await {
                Ok(mut tls_stream) => {
                    println!("TLS connection from {peer_addr}");

                    // Read the request (simplified: just read and respond).
                    let mut buf = vec![0u8; 4096];
                    let _ = tls_stream.read(&mut buf).await;

                    let response = b"HTTP/1.1 200 OK\r\n\
                        Content-Type: text/plain\r\n\
                        Content-Length: 13\r\n\
                        Connection: close\r\n\
                        \r\n\
                        Hello, HTTPS!";

                    let _ = tls_stream.write_all(response).await;
                    let _ = tls_stream.shutdown().await;
                }
                Err(e) => {
                    eprintln!("TLS handshake failed with {peer_addr}: {e}");
                }
            }
        });
    }
}