Automatic HTTPS certificates for trillium.rs, via Let's Encrypt and ACME tls-alpn-01 challenges

Overview

trillium-acme helps you serve HTTPS with Trillium using automatic certificates, via Let’s Encrypt and ACME tls-alpn-01 challenges.

To use trillium-acme, create an AcmeConfig to configure the certificate you want, then call trillium_acme::new to create an Acceptor and a future. Spawn the future using the same stopper as the server, then pass the Acceptor to the server configuration:

use trillium_acme::AcmeConfig;
use trillium_acme::rustls_acme::caches::DirCache;

let config = AcmeConfig::new(["domain.example"])
    .contact_push("mailto:[email protected]")
    .cache(DirCache::new("/srv/example/acme-cache-dir"));

let (acceptor, future) = trillium_acme::new(config);
let stopper = trillium_smol::Stopper::new();
let future = stopper.stop_future(future);
trillium_smol::spawn(async {
    future.await;
});
trillium_smol::config()
    .with_port(443)
    .with_host("0.0.0.0")
    .with_nodelay()
    .with_acceptor(acceptor)
    .with_stopper(stopper)
    .run(|conn: trillium::Conn| async move {
       conn.ok("Hello TLS!")
    });

This will configure the TLS stack to obtain a certificate for the domain domain.example, which must be a domain for which your Trillium server handles HTTPS traffic.

On initial startup, your server will register a certificate via Let's Encrypt. Let's Encrypt will verify your server's control of the domain via an ACME tls-alpn-01 challenge, which the TLS listener configured by trillium-acme will respond to.

You must supply a cache via AcmeConfig::cache or one of the other cache methods. This cache will keep the ACME account key and registered certificates between runs, needed to avoid hitting rate limits. You can use rustls_acme::caches::DirCache for a simple filesystem cache, or implement your own caching using the rustls_acme cache traits.

By default, trillium-acme will use the Let's Encrypt staging environment, which is suitable for testing purposes; it produces certificates signed by a staging root so that you can verify your stack is working, but those certificates will not be trusted in browsers or other HTTPS clients. The staging environment has more generous rate limits for use while testing.

When you're ready to deploy to production, you can call .directory_lets_encrypt(true) to switch to the production Let's Encrypt environment, which produces certificates trusted in browsers and other HTTPS clients. The production environment has stricter rate limits.

trillium-acme builds upon the rustls-acme crate.

You might also like...
An end-to-end encrypted, anonymous IP-hiding, decentralized, audio/video/file sharing/offline messaging multi-device platform built for both communications and application security and performance.

An end-to-end encrypted, anonymous IP-hiding, decentralized, audio/video/file sharing/offline messaging multi-device platform built for both communications and application security and performance.

A fast, stable, efficient, and lightweight intranet penetration, port forwarding tool supports multiple connections, cascading proxy, and transmission encryption
A fast, stable, efficient, and lightweight intranet penetration, port forwarding tool supports multiple connections, cascading proxy, and transmission encryption

A fast, stable, efficient, and lightweight intranet penetration, port forwarding tool supports multiple connections, cascading proxy, and transmission encryption

A proxy implement with http / socks5 in-bound and vmess out-bound, written in Rust and tokio.rs

tokio-vmess an Asynchronous proxy implement with http / socks5 in-bound and vmess out-bound, written in Rust and tokio Run example first, Fill out the

A simple web server(and library) to display server stats over HTTP and Websockets/SSE or stream it to other systems.

x-server-stats A simple web server(and library) to display server stats over HTTP and Websockets/SSE or stream it to other systems. x-server(in x-serv

The gRPC library for Rust built on C Core library and futures

gRPC-rs gRPC-rs is a Rust wrapper of gRPC Core. gRPC is a high performance, open source universal RPC framework that puts mobile and HTTP/2 first. Sta

🥧 Savoury implementation of the QUIC transport protocol and HTTP/3

quiche is an implementation of the QUIC transport protocol and HTTP/3 as specified by the IETF. It provides a low level API for processing QUIC packet

Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

tosh Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code... Inspired fro

A versatile and efficient proxy framework with nice features suitable for various use cases.

A versatile and efficient proxy framework with nice features suitable for various use cases.

Owner
Josh Triplett
Free and Open Source Software developer. @rust-lang developer.
Josh Triplett
Obtain (wildcard) certificates from let's encrypt using dns-01 without the need for API access to your DNS provider.

Agnos Presentation Agnos is a single-binary program allowing you to easily obtain certificates (including wildcards) from Let's Encrypt using DNS-01 c

Arthur Carcano 246 Dec 20, 2022
An async, user-friendly Let's Encrypt/ACMEv2 library written in Rust

lers An async, user-friendly Let's Encrypt/ACMEv2 library written in Rust. The API and implementation were inspired by acme2, acme-micro, and lego. Fe

Alexander Krantz 20 Apr 3, 2023
Library + CLI-Tool to measure the TTFB (time to first byte) of HTTP requests. Additionally, this crate measures the times of DNS lookup, TCP connect and TLS handshake.

TTFB: CLI + Lib to Measure the TTFB of HTTP/1.1 Requests Similar to the network tab in Google Chrome or Mozilla Firefox, this crate helps you find the

Philipp Schuster 24 Dec 1, 2022
Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions.

Synthetic Network Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions. Dependenc

Daily 58 Dec 15, 2022
A tcp over http2 + tls proxy

mtunnel A tcp over http2 + tls proxy. Usage 1. get certificates, by following steps. 2. make your config client config: { "local_addr": "127.0.0.1

cssivision 9 Sep 5, 2022
Final Project for "Computer Networking Security": A Layer-3 VPN implementation over TLS

Final Project for "Computer Networking Security": A Layer-3 VPN implementation over TLS

Siger Yang 2 Jun 7, 2022
RDE1 (Rusty Data Exfiltrator) is client and server tool allowing auditor to extract files from DNS and HTTPS protocols written in Rust. 🦀

Information: RDE1 is an old personal project (end 2022) that I didn't continue development on. It's part of a list of projects that helped me to learn

Quentin Texier (g0h4n) 32 Oct 6, 2023
A tool to aid in self-hosting. Expose local services on your computer, via a public IPv4 address.

innisfree A tool to aid in self-hosting. Expose local services on your computer, via a public IPv4 address. Why? Most of the data I maintain is local,

Conor Schaefer 7 Mar 19, 2022
Expose local age identities to remote machines via SSH

age-plugin-remote TBD Design Notes Proxy identities act as bearer tokens. A proxy identity is only "active" if the authority provides it when starting

null 6 Aug 19, 2022
DNS Server written in Rust for fun, see https://dev.to/xfbs/writing-a-dns-server-in-rust-1gpn

DNS Fun Ever wondered how you can write a DNS server in Rust? No? Well, too bad, I'm telling you anyways. But don't worry, this is going to be a fun o

Patrick Elsen 26 Jan 13, 2023