Crate rusmes_acme 

ACME v2 protocol client for automatic TLS certificate management

This crate implements the ACME v2 protocol (Automatic Certificate Management Environment) to obtain and renew TLS certificates from Let’s Encrypt or any other ACME-compatible CA.

Key Features

• HTTP-01 challenge — serves the challenge token over HTTP on /.well-known/acme-challenge/<token> via an in-memory map that can be mounted on any HTTP server (see Http01Handler).
• DNS-01 challenge — creates _acme-challenge.<domain> TXT records through a pluggable DnsProvider trait; includes a MockDnsProvider for testing (see Dns01Handler).
• Automatic renewal — RenewalManager runs a background Tokio task that checks the certificate expiry at a configurable interval and renews proactively (default: 30 days before expiry).
• CSR generation — CsrGenerator uses rcgen to produce ECDSA P-256 or RSA CSRs without any C/Fortran dependencies.
• Certificate storage — CertificateStorage manages per-domain *.crt, *.key, and *.chain files with correct Unix permissions (0o600 for keys, 0o644 for certs).
• Staging / Production — the AcmeConfig builder exposes a .staging() method that switches to the Let’s Encrypt staging environment.

Usage

use rusmes_acme::{AcmeClient, AcmeConfig, ChallengeType, Http01Handler, RenewalManager};

// Build configuration
let config = AcmeConfig::new(
    "admin@example.com".to_string(),
    vec!["example.com".to_string(), "www.example.com".to_string()],
)
.challenge_type(ChallengeType::Http01)
.renewal(30, 3600);

// Create ACME client and attach an HTTP-01 handler
let http_handler = Http01Handler::new();
let client = AcmeClient::new(config.clone())?
    .with_http01_handler(http_handler);

// Request a certificate (blocks until ACME challenge completes)
let cert = client.request_certificate().await?;
cert.save(&config.cert_path, &config.key_path).await?;

// Start automatic renewal in the background
let manager = RenewalManager::new(client, config);
manager.start().await?;

Error Handling

All fallible operations return Result<T>, which aliases std::result::Result<T, AcmeError>. The AcmeError enum covers ACME protocol failures, challenge failures, validation errors, I/O errors, HTTP client errors, and JSON serialisation errors.

Relevant Standards

• ACME v2: RFC 8555
• HTTP-01 challenge: RFC 8555 §8.3
• DNS-01 challenge: RFC 8555 §8.4
• TLS certificate format: RFC 5280 (X.509 v3)
• CSR format: RFC 2986 (PKCS #10)

Re-exports

pub use cert::Certificate;

pub use cert::CsrGenerator;

pub use cert::KeyType;

pub use client::AcmeClient;

pub use config::AcmeConfig;

pub use config::ChallengeType;

pub use dns01::Dns01Handler;

pub use dns01::DnsProvider;

pub use dns01::MockDnsProvider;

pub use http01::Http01Handler;

pub use renewal::RenewalManager;

Modules

cert

Certificate management

challenge

ACME challenge implementations

client

ACME client implementation using instant-acme

config

ACME configuration

dns01

DNS-01 challenge handler for ACME

http01

HTTP-01 challenge handler for ACME

renewal

Automatic certificate renewal

storage

Certificate storage

Enums

AcmeError

Type Aliases

Result