instant-acme: async, pure-Rust ACME client

instant-acme is an async, pure-Rust ACME (RFC 8555) client.

instant-acme is used in production at Instant Domain Search to help us provision TLS certificates within seconds for our customers. instant-acme relies on Tokio and rustls to implement the RFC 8555 specification.

Features

• Store/recover your account credentials by serializing/deserializing
• Fully async implementation with tracing support
• Support for processing multiple orders concurrently
• Support for external account binding
• Support for certificate revocation
• Uses hyper with rustls and Tokio for HTTP requests
• Uses ring or aws-lc-rs for ECDSA signing
• Minimum supported Rust version: 1.63

Cargo features

• hyper-rustls (default): use a hyper client with rustls
• ring (default): use the ring crate as the crypto backend
• aws-lc-rs: use the aws-lc-rs crate as the crypto backend
• fips: enable the aws-lc-rs crate's FIPS-compliant mode

If both ring and aws-lc-rs are enabled, which backend is used depends on the fips feature. If fips is enabled, aws-lc-rs is used; otherwise, ring is used.

Limitations

• Only tested with DNS challenges against Let's Encrypt (staging and production) and ZeroSSL (production) so far
• Only supports ECDSA keys for now

Getting started

See the examples directory for an example of how to use instant-acme.