package letsencrypt

  1. Overview
  2. Docs
Legend:
Library
Module
Module type
Parameter
Class
Class type

ACME Client.

This module provides client commands. Note: right now this module implements only the strict necessary in order to register an account, solve http-01 challenges provided by the CA, and fetch the certificate. This means that you will be able to maintain your server with this.

type t
type solver
val http_solver : ([ `host ] Domain_name.t -> prefix:string -> token:string -> content:string -> (unit, [ `Msg of string ]) Stdlib.result Lwt.t) -> solver

http_solver (fun domain ~prefix ~token ~content) is a solver for http-01 challenges. The provided function should return Ok () once the web server at domain serves content as prefix/token: a GET request to http://domain/prefix/token should return content. The prefix is ".well-known/acme-challenge".

val print_http : solver

print_http outputs the HTTP challenge solution, and waits for user input before continuing with ACME.

val dns_solver : ([ `raw ] Domain_name.t -> string -> (unit, [ `Msg of string ]) Stdlib.result Lwt.t) -> solver

dns_solver (fun domain content) is a solver for dns-01 challenges. The provided function should return Ok () once the authoritative name servers serve a TXT record at domain with the content. The domain already has the _acme-challenge. prepended.

val print_dns : solver

print_dns outputs the DNS challenge solution, and waits for user input before continuing with ACME.

val nsupdate : ?proto:Dns.proto -> int -> (unit -> Ptime.t) -> (Cstruct.t -> (unit, [ `Msg of string ]) Stdlib.result Lwt.t) -> ?recv:(unit -> (Cstruct.t, [ `Msg of string ]) Stdlib.result Lwt.t) -> zone:[ `host ] Domain_name.t -> keyname:'a Domain_name.t -> Dns.Dnskey.t -> solver

nsupdate ~proto id now send ~recv ~keyname key ~zone constructs a dns solver that sends a DNS update packet (using send) and optionally waits for a signed reply (using recv if present) to solve challenges. The update is signed with a hmac transaction signature (DNS TSIG) using now () as timestamp, and the keyname and key for the cryptographic material. The zone is the one to be used in the query section of the update packet. If signing, sending, or receiving fails, the error is reported.

val alpn_solver : ([ `host ] Domain_name.t -> alpn:string -> X509.Private_key.t -> X509.Certificate.t -> (unit, [ `Msg of string ]) Stdlib.result Lwt.t) -> solver

alpn_solver (fun domain ~alpn private_key certificate) is a solver for tls-alpn-01 challenes. The provided function should return Ok () once the TLS server at domain serves the self-signed certificate (with private_key) under the ALPN alpn ("acme-tls/1").

val print_alpn : solver

print_alpn outputs the ALPN challenge solution, and waits for user input before continuing with ACME.

module Make (Http : Cohttp_lwt.S.Client) : sig ... end
OCaml

Innovation. Community. Security.