txacme.client module

ACME client API (like acme.client) implementation for Twisted.

class txacme.client.Client(directory, reactor, key, jws_client)[source]

ACME client interface.


Accept the terms-of-service for a registration.

Parameters:regr (RegistrationResource) – The registration to update.
Returns:The updated registration resource.
Return type:Deferred[RegistrationResource]
answer_challenge(challenge_body, response)[source]

Respond to an authorization challenge.


The updated challenge resource.

Return type:


fetch_chain(certr, max_length=10)[source]

Fetch the intermediary chain for a certificate.

Return type:



The issuer certificate chain, ordered with the trust anchor last.

classmethod from_url(reactor, url, key, alg=RS256, jws_client=None)[source]

Construct a client from an ACME directory at a given URL.

  • url – The twisted.python.url.URL to fetch the directory from. See txacme.urls for constants for various well-known public directories.
  • reactor – The Twisted reactor to use.
  • key (JWK) – The client key to use.
  • alg – The signing algorithm to use. Needs to be compatible with the type of key used.
  • jws_client (JWSClient) – The underlying client to use, or None to construct one.

The constructed client.

Return type:



Update an authorization from the server (usually to check its status).


Create a new registration with the ACME server.

Parameters:new_reg (NewRegistration) – The registration message to use, or None to construct one.
Returns:The registration resource.
Return type:Deferred[RegistrationResource]

Create a new authorization.

Parameters:identifier (Identifier) – The identifier to authorize.
Returns:The new authorization resource.
Return type:Deferred[AuthorizationResource]

Request a certificate.

Authorizations should have already been completed for all of the names requested in the CSR.

Note that unlike acme.client.Client.request_issuance, the certificate resource will have the body data as raw bytes.


Delayed issuance is not currently supported, the server must issue the requested certificate immediately.

Parameters:csr – A certificate request message: normally txacme.messages.CertificateRequest or acme.messages.CertificateRequest.
Return type:Deferred[acme.messages.CertificateResource]
Returns:The issued certificate.
classmethod retry_after(response, default=5, _now=<built-in function time>)[source]

Parse the Retry-After value from a response.

update_registration(regr, uri=None)[source]

Submit a registration to the server to update it.


The updated registration resource.

Return type:


class txacme.client.JWSClient(treq_client, key, alg, user_agent='txacme/0.9.1+2.g9b52744.dirty')[source]

HTTP client using JWS-signed messages.

get(url, content_type='application/json', **kwargs)[source]

Send GET request and check response.

  • method (str) – The HTTP method to use.
  • url (str) – The URL to make the request to.

Deferred firing with the checked HTTP response.

head(url, *args, **kwargs)[source]

Send HEAD request without checking the response.

Note that _check_response is not called, as there will be no response body to check.

Parameters:url (str) – The URL to make the request to.
post(url, obj, content_type='application/json', **kwargs)[source]

POST an object and check the response. Retry once if a badNonce error is received.

  • url (str) – The URL to request.
  • obj (JSONDeSerializable) – The serializable payload of the request.
  • content_type (bytes) – The expected content type of the response. By default, JSON.
exception txacme.client.ServerError(message, response)[source]

acme.messages.Error isn’t usable as an asynchronous exception, because it doesn’t allow setting the __traceback__ attribute like Twisted wants to do when cleaning Failures. This type exists to wrap such an error, as well as provide access to the original response.


Construct an identifier from an FQDN.

Trivial implementation, just saves on typing.

Parameters:fqdn (str) – The domain name.
Returns:The identifier.
Return type:Identifier
txacme.client.answer_challenge(authzr, client, responders)[source]

Complete an authorization using a responder.

  • auth (AuthorizationResource) – The authorization to complete.
  • client (Client) – The ACME client.
  • responders (List[IResponder]) – A list of responders that can be used to complete the challenge with.

A deferred firing when the authorization is verified.

txacme.client.poll_until_valid(authzr, clock, client, timeout=300.0)[source]

Poll an authorization until it is in a state other than pending or processing.

  • auth (AuthorizationResource) – The authorization to complete.
  • clock – The IReactorTime implementation to use; usually the reactor, when not testing.
  • client (Client) – The ACME client.
  • timeout (float) – Maximum time to poll in seconds, before giving up.

txacme.client.AuthorizationFailed – if the authorization is no longer in the pending, processing, or valid states.


twisted.internet.defer.CancelledError if the authorization was still in pending or processing state when the timeout was reached.

Return type:



A deferred firing when the authorization has completed/failed; if the authorization is valid, the authorization resource will be returned.

exception txacme.client.NoSupportedChallenges[source]

No supported challenges were found in an authorization.

exception txacme.client.AuthorizationFailed(authzr)[source]

An attempt was made to complete an authorization, but it failed.