Module tls 

ACME-based TLS provisioning for ApplicationNode.

Provides automatic TLS certificate provisioning via the ACME protocol (RFC 8555), with support for HTTP-01 challenges. Certificates are stored in the platform Storage trait and auto-renewed 30 days before expiry.

See spec section 18.6.3 for the full design:

• ACME HTTP-01 challenge: served at /.well-known/acme-challenge/<token>
• DNS-01 alternative: for environments where port 80 is unavailable (NAT, shared hosting). Operator configures DNS TXT records manually or via DNS API. (Documented here for reference; not implemented in this module.)
• Certificate storage: PEM-encoded cert chain and private key stored in platform Storage, encrypted at rest by the storage backend.
• Auto-renewal: background task renews 30 days before expiry.
• TLS 1.3 required: per section 9.13, all relay connections use TLS 1.3.

Structs

AcmeProvider

ACME certificate provider for automatic TLS provisioning.

CertResolver

A certificate resolver that supports hot-swapping certificates.

CertificateData

PEM-encoded certificate chain and private key.

Enums

TlsError

Errors produced by TLS provisioning.

Functions

acme_challenge_router

Create an axum router that serves ACME HTTP-01 challenge responses.

build_reloadable_tls_config

Build a reloadable TLS configuration with a CertResolver that supports hot-swapping certificates without restarting the server.

build_tls_server_config

Build a rustls::ServerConfig enforcing TLS 1.3 (spec section 9.13).

generate_self_signed

Generate a self-signed certificate for the given domain.

serve_tls

Serves an axum router over TLS using the provided rustls::ServerConfig.