txacme.endpoint module¶
A TLS endpoint that supports SNI automatically issues / renews certificates via an ACME CA (eg. Let’s Encrypt).
-
class
txacme.endpoint.
AutoTLSEndpoint
(reactor, directory, client_creator, cert_store, cert_mapping, sub_endpoint, check_interval=datetime.timedelta(1), reissue_interval=datetime.timedelta(30), panic_interval=datetime.timedelta(15), panic=<function _default_panic>, generate_key=<functools.partial object>)[source]¶ A server endpoint that does TLS SNI, with certificates automatically (re)issued from an ACME certificate authority.
Parameters: - reactor – The Twisted reactor.
- directory –
twisted.python.url.URL
for the ACME directory to use for issuing certs. - client_creator (Callable[[reactor,
twisted.python.url.URL
], Deferred[txacme.client.Client
]]) – A callable called with the reactor and directory URL for creating the ACME client. For example,partial(Client.from_url, key=acme_key, alg=RS256)
. - cert_store (ICertificateStore) – The certificate store containing the
certificates to manage. For example,
txacme.store.DirectoryStore
. - cert_mapping (dict) – The certificate mapping to use for SNI; for
example,
txsni.snimap.HostDirectoryMap
. Usually this should correspond to the same underlying storage ascert_store
. - check_interval (timedelta) – How often to check for expiring certificates.
- reissue_interval (timedelta) – If a certificate is expiring in less time than this interval, it will be reissued.
- panic_interval (timedelta) – If a certificate is expiring in less time than this interval, and reissuing fails, the panic callback will be invoked.
- panic (Callable[[Failure,
str
], Deferred]) – A callable invoked with the failure and server name when reissuing fails for a certificate expiring in thepanic_interval
. For example, you could generate a monitoring alert. The default callback logs a message at CRITICAL level. - generate_key – A 0-arg callable used to generate a private key for a new cert. Normally you would not pass this unless you have specialized key generation requirements.
-
txacme.endpoint.
load_or_create_client_key
(pem_path)[source]¶ Load the client key from a directory, creating it if it does not exist.
Note
The client key that will be created will be a 2048-bit RSA key.
Parameters: pem_path ( twisted.python.filepath.FilePath
) – The certificate directory to use, as with the endpoint.