I'm a rust developer with a little linux server at home on which I'm trying to locally deploy over TLS a dioxus/leptos hobby app I've written. I need a certificate for a subdomain of zapto.org (offered freely by no-ip.com).
My ISP blocks port 80, so i'm not able to use the http-01 challenge.
My ISP doesn't block port 443 however so I was able to use the tokio-rustls-acme crate in rust (from your excellent list of recommended client options to sucessfully get tls working on port 443 using the simple code example from that library, since it support the TLS-ALPN-01 challenge. Yhé !
My issue is that this library is not integrated with the axum server used by dioxus, which only accept static key.pem and cert.pem files to configure TLS.
So I'm wondering: is there a standalone client out there, which support the TLS-ALPN-01 challenge (the recommended certbot client only supports the http-01 and dns-01 challenges) which can write me down those two key.pem and cert.pem files ?
As it's only a little home project, I'd gladly shut it down for two minutes every two months to get a renewed certificate, (until with some luck, hyper-rustls (which is used by axum, which is used by dioxus and leptos ) directly supports tokio-rustls-acme ).
First, this list is 5 years out of date but may have some options for you:
Although it is not a standalone client, there are 2 ways of doing this with the Nginx server worth mentioning:
1- with normal nginx, there is support via the dehydrated client. Instructions are on that page, but i'll talk about that below.
2- with the openresty fork, there are several opm lua packages that bring tls-alpn-01 into the stack. they include OPM - OpenResty Package Manager and OPM - OpenResty Package Manager . while the first option embeds the client into openresty, the second defers work to golang... which ties into section 1 above... Several other projects in openresty do this too, IIRC.
Going back to the nginx+dehydrated, that info is here and worth reading:
basically, a popular integration for nginx/openresty - and some other servers - is to proxy the TLS-ALPN-01 onto a commandline script or secondary service. there is probably a way you can leverage this strategy into your rust server using one of those tools (dehyrdated or the golang invoked by the openresty option), or a rust tool.
I'm not familiar with the software you're using, but one option to handle trying to connect to old software that doesn't know how to manage certificate automatically, is just to put something that does know how in front of it (a "reverse proxy"), and generally if it's on the same system then the fact that the proxy isn't using TLS to talk to the back-end isn't actually a problem (or maybe you have it speak TLS using a long-lived self-signed certificate or the like).
More specifically, Caddy supports TLS-ALPN, and you might want to look into if having it manage everything and just proxy the connection to your system might make your life easier. (Might not end up being easier; systems can be complicated.)
).