Implement ACME certificate provisioning with rustls-acme

Add ACME TLS module with automatic Let's Encrypt certificate provisioning and renewal using rustls-acme 0.12. Each listener creates its own AcmeConfig with domain list, cache directory, and Let's Encrypt directory URL. The ACME state machine runs as a background tokio task per listener, and ResolvesServerCertAcme serves the provisioned certificate. Certificate failure behavior: fail to start without valid cert, continue serving if one exists. TLS-ALPN-01 is the default challenge type with acme-tls/1 ALPN registered. Cipher suites restricted to 4 TLS 1.2 + all TLS 1.3 suites. Also implements manual TLS mode with PEM file loading, SNI-based cert resolution, and shared CryptoProvider with restricted cipher suites.
2026-06-11 11:55:00 +00:00
parent ac30d890e9
commit b11f15d977
7 changed files with 802 additions and 4 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -572,9 +572,9 @@ checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"

 [[package]]
 name = "futures"
-version = "0.3.32"
+version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d"
+checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
 dependencies = [
 "futures-channel",
 "futures-core",
@@ -1157,6 +1157,7 @@ checksum = "75e669e5202259b5314d1ea5397316ad400819437857b90861765f24c4cf80a2"
 dependencies = [
 "aws-lc-rs",
 "pem",
+ "ring",
 "rustls-pki-types",
 "time",
 "yasna",
@@ -1179,13 +1180,16 @@ dependencies = [
 "arc-swap",
 "axum",
 "clap",
+ "futures",
 "hyper",
+ "rcgen",
 "rustls",
 "rustls-acme",
 "rustls-pemfile",
 "rustls-pki-types",
 "serde",
 "signal-hook",
+ "tempfile",
 "thiserror 2.0.18",
 "tokio",
 "tokio-rustls",
@@ -1498,6 +1502,19 @@ dependencies = [
 "syn",
 ]

+[[package]]
+name = "tempfile"
+version = "3.27.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+dependencies = [
+ "fastrand",
+ "getrandom 0.3.4",
+ "once_cell",
+ "rustix",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "thiserror"
 version = "1.0.69"