#acme #rustls #tls


TLS certificate management and serving using rustls

10 releases

0.2.0 Oct 20, 2021
0.1.8 Oct 20, 2021
0.1.7 Sep 6, 2021
0.1.6 Apr 18, 2021
0.1.2 Feb 27, 2021

#325 in Cryptography

Download history 299/week @ 2021-09-25 110/week @ 2021-10-02 137/week @ 2021-10-09 358/week @ 2021-10-16 148/week @ 2021-10-23 96/week @ 2021-10-30 103/week @ 2021-11-06 81/week @ 2021-11-13 121/week @ 2021-11-20 175/week @ 2021-11-27 241/week @ 2021-12-04 99/week @ 2021-12-11 53/week @ 2021-12-18 4/week @ 2021-12-25 80/week @ 2022-01-01 68/week @ 2022-01-08

205 downloads per month
Used in 5 crates (2 directly)

Apache-2.0 OR MIT

867 lines


TLS certificate management and serving using rustls


Licensed under either of

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


rustls-acme is an easy-to-use, async compatible ACME client library for rustls. The validation mechanism used is tls-alpn-01, which allows serving acme challenge responses and regular TLS traffic on the same port.

The goal is to provide TLS serving and certificate management in one simple function, in a way that is compatible with Let's Encrypt.

To use rustls-acme add the following lines to your Cargo.toml:

rustls-acme = "*"

High-level API

The high-level API consinsts of a single function: bind_listen_serve, which takes care of aquisition and renewal of signed certificates as well as accepting TLS connections and handing over the resulting TLS stream to a user provided handler function.

use rustls_acme::*;
use async_std::prelude::*;
use simple_logger::SimpleLogger;

const HELLO: &'static [u8] = br#"HTTP/1.1 200 OK
Content-Length: 11
Content-Type: text/plain; charset=utf-8

Hello Tls!"#;

async fn main() {

    let tls_handler = |mut tls: TlsStream| async move {
        if let Err(err) = tls.write_all(HELLO).await {
            log::error!("{:?}", err);


The server_simple example is a "Hello Tls!" server similar to the one above which accepts domain, port and cache directory parameters.

Note that all examples use the let's encrypt staging directory. The production directory imposes strict rate limits, which are easily exhausted accidentally during testing and development. For testing with the staging directory you may open https://<your domain>:<port> in a browser that allows TLS connection to servers signed by an untrusted CA (in Firefox click "Advanced..." -> "Accept the Risk and Continue").

Due to limitations in rustls and the futures ecosystems in Rust at the moment, the simple API depends on the async-std runtime and spawns a single task at startup. (Ideas how to avoid this are welcome.)

Lower-level Rustls API

rustls-acme relies heavily on rustls and async-rustls. In particular, the rustls::ResolvesServerCert trait is used to allow domain validation and tls serving via a single tcp listener. See the server_runtime_indendent example on how to use the lower-level API directly with rustls. This does not use the async-std runtime and allows users to run the certificate aquisition and renewal task any way they like.

Account and certificate caching

A production server using the let's encrypt production directory must implement both account and certificate caching to avoid exhausting the let's encrypt API rate limits.

The acme module

The underlying implementation of an async acme client may be useful to others and is exposed as a module. It is incomplete (contributions welcome) and not covered by any stability promises.

Special thanks

This crate was inspired by the autocert package for Go.

This crate builds on the excellent work of the authors of rustls, async-rustls, async-std, and many others.


~466K SLoC