#letsencrypt #acme


A Tokio and OpenSSL based ACMEv2 client

1 unstable release

0.5.1 Aug 10, 2022

#902 in Cryptography

Download history 117/week @ 2022-10-07 70/week @ 2022-10-14 71/week @ 2022-10-21 163/week @ 2022-10-28 248/week @ 2022-11-04 80/week @ 2022-11-11 91/week @ 2022-11-18 70/week @ 2022-11-25 42/week @ 2022-12-02 61/week @ 2022-12-09 66/week @ 2022-12-16 27/week @ 2022-12-23 13/week @ 2022-12-30 23/week @ 2023-01-06 49/week @ 2023-01-13 24/week @ 2023-01-20

117 downloads per month
Used in plane-drone

MIT license

1.5K SLoC

Note: this is a fork of lucacasonato/acme2 that adds External Account Binding support, needed for ZeroSSL and Google Certificate Manager support. It is packaged separately so that we can use it from other codebases until this upstream PR is merged.


A Tokio and OpenSSL based ACMEv2 client.


  • ACME v2 support, tested against Let's Encrypt and Pebble
  • Fully async, using reqwest / Tokio
  • Support for DNS01 and HTTP01 validation
  • Fully instrumented with tracing


This example demonstrates how to provision a certificate for the domain example.com using http-01 validation.

use acme2::gen_rsa_private_key;
use acme2::AccountBuilder;
use acme2::AuthorizationStatus;
use acme2::ChallengeStatus;
use acme2::DirectoryBuilder;
use acme2::Error;
use acme2::OrderBuilder;
use acme2::OrderStatus;
use acme2::Csr;
use std::time::Duration;

const LETS_ENCRYPT_URL: &'static str =

async fn main() -> Result<(), Error> {
  // Create a new ACMEv2 directory for Let's Encrypt.
  let dir = DirectoryBuilder::new(LETS_ENCRYPT_URL.to_string())

  // Create an ACME account to use for the order. For production
  // purposes, you should keep the account (and private key), so
  // you can renew your certificate easily.
  let mut builder = AccountBuilder::new(dir.clone());
  let account = builder.build().await?;

  // Create a new order for a specific domain name.
  let mut builder = OrderBuilder::new(account);
  let order = builder.build().await?;

  // Get the list of needed authorizations for this order.
  let authorizations = order.authorizations().await?;
  for auth in authorizations {
    // Get an http-01 challenge for this authorization (or panic
    // if it doesn't exist).
    let challenge = auth.get_challenge("http-01").unwrap();

    // At this point in time, you must configure your webserver to serve
    // a file at `https://example.com/.well-known/${challenge.token}`
    // with the content of `challenge.key_authorization()??`.

    // Start the validation of the challenge.
    let challenge = challenge.validate().await?;

    // Poll the challenge every 5 seconds until it is in either the
    // `valid` or `invalid` state.
    let challenge = challenge.wait_done(Duration::from_secs(5), 3).await?;

    assert_eq!(challenge.status, ChallengeStatus::Valid);

    // You can now remove the challenge file hosted on your webserver.

    // Poll the authorization every 5 seconds until it is in either the
    // `valid` or `invalid` state.
    let authorization = auth.wait_done(Duration::from_secs(5), 3).await?;
    assert_eq!(authorization.status, AuthorizationStatus::Valid)

  // Poll the order every 5 seconds until it is in either the
  // `ready` or `invalid` state. Ready means that it is now ready
  // for finalization (certificate creation).
  let order = order.wait_ready(Duration::from_secs(5), 3).await?;

  assert_eq!(order.status, OrderStatus::Ready);

  // Generate an RSA private key for the certificate.
  let pkey = gen_rsa_private_key(4096)?;

  // Create a certificate signing request for the order, and request
  // the certificate.
  let order = order.finalize(Csr::Automatic(pkey)).await?;

  // Poll the order every 5 seconds until it is in either the
  // `valid` or `invalid` state. Valid means that the certificate
  // has been provisioned, and is now ready for download.
  let order = order.wait_done(Duration::from_secs(5), 3).await?;

  assert_eq!(order.status, OrderStatus::Valid);

  // Download the certificate, and panic if it doesn't exist.
  let cert = order.certificate().await?.unwrap();
  assert!(cert.len() > 1);



To run the tests, you will need to install pebble and pebble-challtestsrv.

Start these before running the tests with these commands (in seperate shells):

pebble -config ./pebble-config.json -strict


To compile on Windows you will need OpenSSL. Here is an easy way to get it installed.

(example in Git Bash)

git clone https://github.com/microsoft/vcpkg
cd vcpkg
./vcpkg.exe install openssl
./vcpkg.exe install openssl:x64-windows-static
# Add OPENSSL_DIR=/vcpkg/path/installed/x64-windows-static
cargo build


This project is licenced under MIT. See LICENCE file for more.


~312K SLoC