certon 0.2.1

Automatic HTTPS/TLS certificate management via the ACME protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

//! DNS-01 challenge for wildcard certificates.
//!
//! This example demonstrates how to implement a custom `DnsProvider` trait and
//! use the DNS-01 challenge solver to obtain wildcard certificates.
//!
//! DNS-01 is the only ACME challenge type that supports wildcard certificates
//! (e.g. `*.example.com`). It works by creating a TXT record at
//! `_acme-challenge.example.com` with a value derived from the challenge token.
//!
//! In production, you would implement `DnsProvider` to call your DNS hosting
//! provider's API (e.g. Cloudflare, Route 53, Google Cloud DNS).
//!
//! Usage: cargo run --example dns01_challenge

use std::collections::HashMap;
use std::sync::Arc;
use std::time::Duration;

use async_trait::async_trait;
use certon::{
    AcmeIssuer, CertResolver, Config, Dns01Solver, DnsProvider, FileStorage, KeyType,
    LETS_ENCRYPT_STAGING, Result, Storage,
};
use tokio::sync::RwLock;

// ---------------------------------------------------------------------------
// Custom DNS provider implementation
// ---------------------------------------------------------------------------

/// A DNS provider that stores records in memory (for demonstration purposes).
///
/// In a real application, this would call the API of your DNS hosting provider
/// (e.g. Cloudflare, AWS Route 53, Google Cloud DNS, etc.).
struct ExampleDnsProvider {
    /// In-memory store of TXT records: (zone, name) -> Vec<value>
    records: RwLock<HashMap<(String, String), Vec<String>>>,
}

impl ExampleDnsProvider {
    fn new() -> Self {
        Self {
            records: RwLock::new(HashMap::new()),
        }
    }
}

#[async_trait]
impl DnsProvider for ExampleDnsProvider {
    async fn set_record(&self, zone: &str, name: &str, value: &str, ttl: u32) -> Result<()> {
        println!(
            "[DNS] Creating TXT record: zone={}, name={}, value={}, ttl={}",
            zone, name, value, ttl
        );

        // In production, call your DNS API here:
        //   client.create_record(zone, RecordType::TXT, name, value, ttl).await?;

        let mut records = self.records.write().await;
        records
            .entry((zone.to_string(), name.to_string()))
            .or_default()
            .push(value.to_string());

        Ok(())
    }

    async fn delete_record(&self, zone: &str, name: &str, value: &str) -> Result<()> {
        println!(
            "[DNS] Deleting TXT record: zone={}, name={}, value={}",
            zone, name, value
        );

        // In production, call your DNS API here:
        //   client.delete_record(zone, RecordType::TXT, name, value).await?;

        let mut records = self.records.write().await;
        if let Some(values) = records.get_mut(&(zone.to_string(), name.to_string())) {
            values.retain(|v| v != value);
            if values.is_empty() {
                records.remove(&(zone.to_string(), name.to_string()));
            }
        }

        Ok(())
    }
}

#[tokio::main]
async fn main() -> Result<()> {
    tracing_subscriber::fmt::init();

    // -- Storage ---------------------------------------------------------------
    let storage: Arc<dyn Storage> = Arc::new(FileStorage::new("/tmp/certon-dns01"));

    // -- DNS provider and solver -----------------------------------------------
    let dns_provider = ExampleDnsProvider::new();
    let dns_solver = Dns01Solver::with_timeouts(
        Box::new(dns_provider),
        Duration::from_secs(120), // propagation timeout
        Duration::from_secs(4),   // propagation check interval
    );

    // -- ACME Issuer -----------------------------------------------------------
    // DNS-01 supports wildcard certificates, so we disable HTTP and TLS-ALPN
    // challenges and use only DNS-01.
    let issuer = AcmeIssuer::builder()
        .ca(LETS_ENCRYPT_STAGING)
        .email("admin@example.com")
        .agreed(true)
        .storage(storage.clone())
        .dns01_solver(Arc::new(dns_solver))
        .disable_http_challenge(true)
        .disable_tlsalpn_challenge(true)
        .build();

    // -- Config ----------------------------------------------------------------
    let config = Config::builder()
        .storage(storage)
        .issuers(vec![Arc::new(issuer)])
        .key_type(KeyType::EcdsaP256)
        .build();

    // -- Obtain wildcard certificate -------------------------------------------
    // DNS-01 is the only challenge type that supports wildcard domains.
    let domains = vec!["*.example.com".into(), "example.com".into()];
    println!(
        "Obtaining wildcard certificate for {:?} via DNS-01...",
        domains
    );
    config.manage_sync(&domains).await?;
    println!("Certificate obtained successfully!");

    // -- Build the TLS config --------------------------------------------------
    let resolver = CertResolver::new(config.cache.clone());
    let _tls_config = rustls::ServerConfig::builder()
        .with_no_client_auth()
        .with_cert_resolver(Arc::new(resolver));

    println!("TLS config ready for wildcard domain");

    // Start background maintenance for certificate renewal.
    let _maintenance = certon::start_maintenance(&config);

    // Keep the process alive for certificate maintenance.
    tokio::signal::ctrl_c().await.ok();
    config.cache.stop();

    Ok(())
}