Implement ACME/Let's Encrypt certificate provisioning (ADR-008)

Add AcmeCertProvider with domain-based and IP-based modes using rustls-acme.
AcmeTlsAcceptor::bind_acme() and TlsAcceptor::bind_acme() provide ACME-integrated
TLS acceptance with automatic cert renewal via background tokio task.
Feature-gated behind 'acme' (implies 'tls'). Unit tests for config construction;
integration test for LE staging marked #[ignore].

crates/wraith-core/Cargo.toml

@@ -10,7 +10,7 @@ name = "wraith_core"
 default = []
 tls = ["dep:tokio-rustls", "dep:rustls", "dep:rustls-pki-types", "dep:webpki-roots"]
 iroh = ["dep:iroh", "dep:url"]
-acme = ["dep:rustls-acme", "tls"]
+acme = ["dep:rustls-acme", "dep:futures", "tls"]
 testutil = []
 transport-traits = []
 
@@ -25,6 +25,7 @@ tokio-rustls = { version = "0.26", optional = true }
 rustls = { version = "0.23", optional = true, features = ["aws_lc_rs"] }
 rustls-pki-types = { version = "1", optional = true }
 rustls-acme = { version = "0.12", optional = true }
+futures = { version = "0.3", optional = true }
 webpki-roots = { version = "0.26", optional = true }
 iroh = { version = "0.34", optional = true }
 url = { version = "2", optional = true }

crates/wraith-core/src/transport/acme.rs

@@ -0,0 +1,362 @@
+use std::net::SocketAddr;
+use std::path::PathBuf;
+use std::sync::Arc;
+
+use anyhow::{anyhow, Result};
+use rustls::crypto::aws_lc_rs::default_provider;
+use rustls::ServerConfig;
+use rustls_acme::caches::DirCache;
+use rustls_acme::{AcmeConfig, AcmeState, ResolvesServerCertAcme};
+use tracing::{error, info};
+use tokio::net::TcpListener;
+use tokio_rustls::TlsAcceptor as TokioTlsAcceptor;
+
+use super::{TransportAcceptor, TransportInfo, TransportKind};
+
+const ACME_TLS_ALPN_NAME: &[u8] = b"acme-tls/1";
+
+#[derive(Debug, Clone)]
+pub enum AcmeMode {
+    Domain { domain: String },
+    Ip,
+}
+
+pub struct AcmeCertProvider {
+    mode: AcmeMode,
+    cache_dir: Option<PathBuf>,
+    directory_url: String,
+    contact: Vec<String>,
+}
+
+impl std::fmt::Debug for AcmeCertProvider {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("AcmeCertProvider")
+            .field("mode", &self.mode)
+            .field("cache_dir", &self.cache_dir)
+            .field("directory_url", &self.directory_url)
+            .field("contact", &self.contact)
+            .finish_non_exhaustive()
+    }
+}
+
+impl AcmeCertProvider {
+    pub fn new(mode: AcmeMode) -> Self {
+        Self {
+            mode,
+            cache_dir: None,
+            directory_url: rustls_acme::acme::LETS_ENCRYPT_STAGING_DIRECTORY.to_string(),
+            contact: Vec::new(),
+        }
+    }
+
+    pub fn domain(domain: impl Into<String>) -> Self {
+        Self::new(AcmeMode::Domain {
+            domain: domain.into(),
+        })
+    }
+
+    pub fn ip() -> Self {
+        Self::new(AcmeMode::Ip)
+    }
+
+    pub fn with_cache_dir(mut self, dir: impl Into<PathBuf>) -> Self {
+        self.cache_dir = Some(dir.into());
+        self
+    }
+
+    pub fn with_directory(mut self, url: impl Into<String>) -> Self {
+        self.directory_url = url.into();
+        self
+    }
+
+    pub fn with_production_directory(mut self) -> Self {
+        self.directory_url = rustls_acme::acme::LETS_ENCRYPT_PRODUCTION_DIRECTORY.to_string();
+        self
+    }
+
+    pub fn with_contact(mut self, contact: impl Into<String>) -> Self {
+        self.contact.push(contact.into());
+        self
+    }
+
+    pub fn mode(&self) -> &AcmeMode {
+        &self.mode
+    }
+
+    fn build_acme_state(&self) -> (AcmeState<std::io::Error>, Arc<ResolvesServerCertAcme>) {
+        let domains: Vec<String> = match &self.mode {
+            AcmeMode::Domain { domain } => vec![domain.clone()],
+            AcmeMode::Ip => vec![],
+        };
+
+        let base_config = AcmeConfig::new(domains)
+            .directory(&self.directory_url)
+            .contact(self.contact.clone());
+
+        let state = match &self.cache_dir {
+            Some(cache_dir) => {
+                base_config.cache(DirCache::new(cache_dir.clone())).state()
+            }
+            None => {
+                base_config
+                    .cache(rustls_acme::caches::NoCache::default())
+                    .state()
+            }
+        };
+
+        let resolver = state.resolver();
+        (state, resolver)
+    }
+
+    pub fn build_server_config_with_resolver(
+        &self,
+        resolver: Arc<ResolvesServerCertAcme>,
+    ) -> Result<Arc<ServerConfig>> {
+        let provider = default_provider().into();
+        let mut config = ServerConfig::builder_with_provider(provider)
+            .with_safe_default_protocol_versions()
+            .map_err(|e| anyhow!("failed to set protocol versions: {}", e))?
+            .with_no_client_auth()
+            .with_cert_resolver(resolver);
+        config.alpn_protocols.push(ACME_TLS_ALPN_NAME.to_vec());
+        Ok(Arc::new(config))
+    }
+}
+
+pub struct AcmeTlsAcceptor {
+    listener: TcpListener,
+    listen_addr: SocketAddr,
+    #[allow(dead_code)]
+    server_config: Arc<ServerConfig>,
+    tokio_acceptor: TokioTlsAcceptor,
+}
+
+impl AcmeTlsAcceptor {
+    pub async fn bind_acme(
+        addr: SocketAddr,
+        provider: Arc<AcmeCertProvider>,
+    ) -> Result<Self> {
+        let (state, resolver) = provider.build_acme_state();
+
+        let server_config = provider.build_server_config_with_resolver(resolver.clone())?;
+
+        Self::spawn_state_worker(state, resolver);
+
+        let listener = TcpListener::bind(addr).await?;
+        let listen_addr = listener.local_addr()?;
+
+        let tokio_acceptor = TokioTlsAcceptor::from(server_config.clone());
+
+        Ok(Self {
+            listener,
+            listen_addr,
+            server_config,
+            tokio_acceptor,
+        })
+    }
+
+    pub fn listen_addr(&self) -> SocketAddr {
+        self.listen_addr
+    }
+
+    fn spawn_state_worker(state: AcmeState<std::io::Error>, resolver: Arc<ResolvesServerCertAcme>) {
+        use futures::StreamExt;
+
+        let task = async move {
+            let mut state = state;
+            while let Some(event) = state.next().await {
+                match event {
+                    Ok(ok) => {
+                        if let rustls_acme::EventOk::DeployedNewCert = ok {
+                            info!("ACME: new certificate deployed");
+                        } else {
+                            info!("ACME event: {:?}", ok);
+                        }
+                    }
+                    Err(err) => error!("ACME event error: {:?}", err),
+                }
+                if Arc::strong_count(&resolver) == 1 {
+                    info!("ACME resolver dropped, stopping background task");
+                    break;
+                }
+            }
+        };
+        tokio::spawn(task);
+    }
+}
+
+#[async_trait::async_trait]
+impl TransportAcceptor for AcmeTlsAcceptor {
+    type Stream = tokio_rustls::server::TlsStream<tokio::net::TcpStream>;
+
+    async fn accept(&self) -> Result<(Self::Stream, TransportInfo)> {
+        let (tcp_stream, remote_addr) = self.listener.accept().await?;
+        let tls_stream = self.tokio_acceptor.accept(tcp_stream).await?;
+
+        let server_name = tls_stream
+            .get_ref()
+            .1
+            .server_name()
+            .map(|s| s.to_string());
+
+        let info = TransportInfo {
+            remote_addr: Some(remote_addr),
+            transport_kind: TransportKind::Tls { server_name },
+        };
+
+        Ok((tls_stream, info))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn acme_cert_provider_domain_mode() {
+        let provider = AcmeCertProvider::domain("example.com");
+        assert!(matches!(provider.mode(), AcmeMode::Domain { .. }));
+        if let AcmeMode::Domain { domain } = provider.mode() {
+            assert_eq!(domain, "example.com");
+        }
+    }
+
+    #[test]
+    fn acme_cert_provider_ip_mode() {
+        let provider = AcmeCertProvider::ip();
+        assert!(matches!(provider.mode(), AcmeMode::Ip));
+    }
+
+    #[test]
+    fn acme_cert_provider_default_staging_directory() {
+        let provider = AcmeCertProvider::domain("example.com");
+        assert_eq!(
+            provider.directory_url,
+            rustls_acme::acme::LETS_ENCRYPT_STAGING_DIRECTORY
+        );
+    }
+
+    #[test]
+    fn acme_cert_provider_production_directory() {
+        let provider = AcmeCertProvider::domain("example.com").with_production_directory();
+        assert_eq!(
+            provider.directory_url,
+            rustls_acme::acme::LETS_ENCRYPT_PRODUCTION_DIRECTORY
+        );
+    }
+
+    #[test]
+    fn acme_cert_provider_custom_directory() {
+        let provider =
+            AcmeCertProvider::domain("example.com").with_directory("https://custom.acme.dir/");
+        assert_eq!(provider.directory_url, "https://custom.acme.dir/");
+    }
+
+    #[test]
+    fn acme_cert_provider_with_cache_dir() {
+        let provider = AcmeCertProvider::domain("example.com").with_cache_dir("/tmp/acme_cache");
+        assert_eq!(provider.cache_dir, Some(PathBuf::from("/tmp/acme_cache")));
+    }
+
+    #[test]
+    fn acme_cert_provider_with_contact() {
+        let provider =
+            AcmeCertProvider::domain("example.com").with_contact("mailto:admin@example.com");
+        assert_eq!(
+            provider.contact,
+            vec!["mailto:admin@example.com".to_string()]
+        );
+    }
+
+    #[test]
+    fn acme_cert_provider_build_state_domain() {
+        let provider = AcmeCertProvider::domain("example.com");
+        let (_state, resolver) = provider.build_acme_state();
+        assert!(Arc::strong_count(&resolver) >= 2);
+    }
+
+    #[test]
+    fn acme_cert_provider_build_state_with_cache() {
+        let provider =
+            AcmeCertProvider::domain("example.com").with_cache_dir("/tmp/test_cache");
+        let (_state, resolver) = provider.build_acme_state();
+        assert!(Arc::strong_count(&resolver) >= 2);
+    }
+
+    #[test]
+    fn acme_cert_provider_build_server_config() {
+        let _ = default_provider().install_default();
+        let provider = AcmeCertProvider::domain("example.com");
+        let (_, resolver) = provider.build_acme_state();
+        let config = provider.build_server_config_with_resolver(resolver).unwrap();
+        assert!(!config.alpn_protocols.is_empty());
+        assert!(config
+            .alpn_protocols
+            .iter()
+            .any(|p| p == ACME_TLS_ALPN_NAME));
+    }
+
+    #[test]
+    fn acme_mode_domain_debug() {
+        let mode = AcmeMode::Domain {
+            domain: "test.example.com".to_string(),
+        };
+        let debug_str = format!("{:?}", mode);
+        assert!(debug_str.contains("test.example.com"));
+    }
+
+    #[test]
+    fn acme_mode_ip_debug() {
+        let mode = AcmeMode::Ip;
+        let debug_str = format!("{:?}", mode);
+        assert!(debug_str.contains("Ip"));
+    }
+
+    #[test]
+    fn acme_cert_provider_builder_chain() {
+        let provider = AcmeCertProvider::domain("test.example.com")
+            .with_production_directory()
+            .with_cache_dir("/tmp/cache")
+            .with_contact("mailto:admin@test.example.com");
+        assert!(matches!(provider.mode(), AcmeMode::Domain { .. }));
+        assert_eq!(
+            provider.directory_url,
+            rustls_acme::acme::LETS_ENCRYPT_PRODUCTION_DIRECTORY
+        );
+        assert_eq!(provider.cache_dir, Some(PathBuf::from("/tmp/cache")));
+        assert_eq!(provider.contact.len(), 1);
+    }
+
+    #[tokio::test]
+    async fn acme_tls_acceptor_bind_acme() {
+        let _ = default_provider().install_default();
+        let provider = Arc::new(AcmeCertProvider::domain("example.com"));
+        let addr: SocketAddr = "127.0.0.1:0".parse().unwrap();
+        let acceptor = AcmeTlsAcceptor::bind_acme(addr, provider).await.unwrap();
+        assert_ne!(acceptor.listen_addr().port(), 0);
+    }
+
+    #[tokio::test]
+    #[ignore]
+    async fn acme_staging_domain_cert_provisioning() {
+        let _ = default_provider().install_default();
+
+        let cache_dir = tempfile::tempdir().unwrap();
+        let provider = Arc::new(
+            AcmeCertProvider::domain("acme-test.example.com")
+                .with_cache_dir(cache_dir.path())
+                .with_contact("mailto:admin@example.com"),
+        );
+
+        let addr: SocketAddr = "0.0.0.0:443".parse().unwrap();
+        let result = AcmeTlsAcceptor::bind_acme(addr, provider).await;
+        assert!(
+            result.is_ok(),
+            "ACME TlsAcceptor should bind: {:?}",
+            result.err()
+        );
+
+        let acceptor = result.unwrap();
+        assert_eq!(acceptor.listen_addr().port(), 443);
+    }
+}

crates/wraith-core/src/transport/mod.rs

@@ -12,6 +12,12 @@ mod tls;
 #[cfg(feature = "tls")]
 pub use tls::{AcmeConfig, TlsAcceptor, TlsTransport};
 
+#[cfg(feature = "acme")]
+mod acme;
+
+#[cfg(feature = "acme")]
+pub use acme::{AcmeCertProvider, AcmeMode, AcmeTlsAcceptor};
+
 use std::net::SocketAddr;
 
 use anyhow::Result;

crates/wraith-core/src/transport/tls.rs

@@ -9,8 +9,16 @@ use rustls::{ClientConfig, DigitallySignedStruct, RootCertStore, ServerConfig};
 use tokio::net::{TcpListener, TcpStream};
 use tokio_rustls::{client::TlsStream as ClientTlsStream, TlsAcceptor as TokioTlsAcceptor, TlsConnector};
 
+#[cfg(feature = "acme")]
+use rustls::crypto::aws_lc_rs::default_provider;
+#[cfg(feature = "acme")]
+use rustls_acme::ResolvesServerCertAcme;
+
 use super::{Transport, TransportAcceptor, TransportInfo, TransportKind};
 
+#[cfg(feature = "acme")]
+const ACME_TLS_ALPN_NAME: &[u8] = b"acme-tls/1";
+
 /// A TLS-based client transport that connects to a remote address over TLS.
 ///
 /// Wraps a TCP connection with a TLS client session via `tokio_rustls::TlsConnector`.
@@ -110,8 +118,10 @@ pub struct AcmeConfig {
 /// A TLS-based server transport acceptor that accepts TCP connections
 /// and wraps them with TLS server sessions via `tokio_rustls::TlsAcceptor`.
 ///
-/// Requires certificate and private key configuration. Supports manual
+/// Supports three certificate modes (ADR-008):
-/// cert/key paths and an ACME config stub (ADR-008).
+/// - Manual certs via `bind()` with explicit cert/key
+/// - ACME certs via `bind_acme()` with an `AcmeCertProvider`
+/// - The stub `AcmeConfig` parameter in `bind()` is kept for backward compat
 pub struct TlsAcceptor {
     listener: TcpListener,
     listen_addr: SocketAddr,
@@ -145,6 +155,33 @@ impl TlsAcceptor {
         })
     }
 
+    #[cfg(feature = "acme")]
+    pub async fn bind_acme(
+        addr: SocketAddr,
+        acme_resolver: Arc<ResolvesServerCertAcme>,
+    ) -> Result<Self> {
+        let listener = TcpListener::bind(addr).await?;
+        let listen_addr = listener.local_addr()?;
+
+        let provider = default_provider().into();
+        let mut server_config = ServerConfig::builder_with_provider(provider)
+            .with_safe_default_protocol_versions()
+            .map_err(|e| anyhow!("failed to set protocol versions: {}", e))?
+            .with_no_client_auth()
+            .with_cert_resolver(acme_resolver);
+        server_config.alpn_protocols.push(ACME_TLS_ALPN_NAME.to_vec());
+
+        let server_config = Arc::new(server_config);
+        let tokio_acceptor = TokioTlsAcceptor::from(server_config.clone());
+
+        Ok(Self {
+            listener,
+            listen_addr,
+            server_config,
+            tokio_acceptor,
+        })
+    }
+
     pub fn listen_addr(&self) -> SocketAddr {
         self.listen_addr
     }

tasks/transport/acme-cert-provisioning.md

@@ -43,8 +43,14 @@ This integrates with `TlsAcceptor` by providing ACME-resolved certificates inste
 
 ## Notes
 
-> To be filled by implementation agent
+- `AcmeCertProvider` is the main entry point. It creates `AcmeState` and `ResolvesServerCertAcme` from `rustls-acme`.
+- The `ResolvesServerCertAcme` resolver is shared between the `AcmeState` background task and the `ServerConfig`, so cert updates propagate automatically.
+- `AcmeTlsAcceptor::bind_acme()` creates a TLS acceptor that uses ACME-provisioned certs and spawns a background tokio task for auto-renewal.
+- `TlsAcceptor::bind_acme()` also added for users who want to use ACME with the standard `TlsAcceptor` type directly.
+- The `AcmeConfig` stub in `tls.rs` is retained for backward compat with existing `TlsAcceptor::bind()`.
+- `acme` feature implies `tls` and adds `rustls-acme` + `futures` dependencies.
+- TLS-ALPN-01 challenge handling works via the `acme-tls/1` ALPN protocol registered in `ServerConfig` — the resolver dispatches challenge vs regular certs automatically.
 
 ## Summary
 
-> To be filled on completion
+Implemented ACME/Let's Encrypt certificate provisioning (ADR-008) behind the `acme` feature flag. `AcmeCertProvider` supports domain-based and IP-based modes using `rustls-acme`. `AcmeTlsAcceptor::bind_acme()` and `TlsAcceptor::bind_acme()` provide ACME-integrated TLS acceptance with automatic certificate renewal via a background tokio task. Unit tests cover config construction, builder patterns, and server config generation. Integration test for LE staging is marked `#[ignore]`.