Expand description
§Let’s Encrypt TLS certificate lifecycle manager
Keeps the HTTPS transport’s TLS certificate fresh without operator intervention.
Uses instant-acme to talk to Let’s Encrypt (production or staging, picked via
[hashiverse_lib::tools::config::USE_PRODUCTION_LETS_ENCRYPT]) and
TLS-ALPN-01 to solve domain-validation challenges inline on the same HTTPS port
— no separate HTTP-01 listener needed.
Two cert slots live side-by-side in RwLocks:
base_cert— the currently-serving cert.challenge_cert— the short-lived self-signed (viarcgen) cert rustls serves only when ACME is mid-challenge.
Swapping slots is atomic, so a refresh never drops a live TLS handshake.
Refresh cadence, retry-on-failure cadence, and renewal lead time all come from
the MILLIS_TO_WAIT_BETWEEN_CERT_* constants in
[hashiverse_lib::tools::config].