itsi-scheduler 0.2.26-aarch64-linux → 0.2.27-aarch64-linux

data/ext/itsi_scheduler/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "itsi-scheduler"
-version = "0.2.26"
+version = "0.2.27"
 edition = "2021"
 authors = ["Wouter Coppieters <wc@pico.net.nz>"]
 license = "MIT"

data/ext/itsi_scheduler/src/itsi_scheduler.rs

@@ -4,22 +4,19 @@ mod timer;
 use io_helpers::{build_interest, poll_readiness, set_nonblocking};
 use io_waiter::IoWaiter;
 use itsi_error::ItsiError;
-use itsi_rb_helpers::{call_without_gvl, create_ruby_thread};
-use magnus::{
-    error::Result as MagnusResult,
-    value::{InnerValue, Lazy, LazyId, Opaque, ReprValue},
-    Module, RClass, Ruby, Value,
-};
+use itsi_rb_helpers::call_without_gvl;
+use magnus::{error::Result as MagnusResult, Ruby};
 use mio::{Events, Poll, Token, Waker};
-use parking_lot::{Mutex, RwLock};
+use parking_lot::Mutex;
 use std::{
     collections::{BinaryHeap, HashMap, VecDeque},
+    ffi::CString,
     os::fd::RawFd,
-    sync::Arc,
+    ptr,
     time::Duration,
 };
 use timer::Timer;
-use tracing::{debug, error, info, warn};
+use tracing::{debug, info, warn};
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
 pub(crate) struct Readiness(i16);
@@ -31,9 +28,6 @@ impl std::fmt::Debug for ItsiScheduler {
 }
 
 const WAKE_TOKEN: Token = Token(0);
-static ID_CURRENT: LazyId = LazyId::new("current");
-static CLASS_FIBER: Lazy<RClass> =
-    Lazy::new(|ruby| ruby.module_kernel().const_get("Fiber").unwrap());
 
 #[magnus::wrap(class = "Itsi::Scheduler", free_immediately, size)]
 pub(crate) struct ItsiScheduler {
@@ -123,6 +117,57 @@ impl ItsiScheduler {
         self.timers.lock().retain(|timer| timer.token.0 != token);
     }
 
+    pub fn cancel_wait(&self, token: usize) -> MagnusResult<()> {
+        let token = Token(token);
+
+        self.timers.lock().retain(|timer| timer.token != token);
+
+        let mut io_waiters = self.io_waiters.lock();
+        let Some(mut waiter) = io_waiters.remove(&token) else {
+            return Ok(());
+        };
+
+        let mut registry = self.registry.lock();
+        let Some(queue) = registry.get_mut(&waiter.fd) else {
+            return Ok(());
+        };
+
+        let Some(position) = queue.iter().position(|entry| entry.token == token) else {
+            return Ok(());
+        };
+
+        if position == 0 {
+            self.poll
+                .lock()
+                .registry()
+                .deregister(&mut waiter)
+                .map_err(|_| {
+                    ItsiError::ArgumentError("Failed to deregister".to_string())
+                })?;
+        }
+
+        queue.remove(position);
+
+        if position == 0 {
+            if let Some(head) = queue.get_mut(0) {
+                let interest = build_interest(head.readiness)?;
+                self.poll
+                    .lock()
+                    .registry()
+                    .register(head, head.token, interest)
+                    .map_err(|_| {
+                        ItsiError::ArgumentError("Failed to register".to_string())
+                    })?;
+            }
+        }
+
+        if queue.is_empty() {
+            registry.remove(&waiter.fd);
+        }
+
+        Ok(())
+    }
+
     pub fn has_pending_io(&self) -> bool {
         !self.timers.lock().is_empty() || !self.io_waiters.lock().is_empty()
     }
@@ -220,63 +265,69 @@ impl ItsiScheduler {
         })
     }
 
-    pub fn run_blocking_in_thread<T, F>(&self, ruby: &Ruby, work: F) -> MagnusResult<Option<T>>
-    where
-        T: Send + Sync + std::fmt::Debug + 'static,
-        F: FnOnce() -> Option<T> + Send + 'static,
-    {
-        let result: Arc<RwLock<Option<T>>> = Arc::new(RwLock::new(None));
-        let result_clone = Arc::clone(&result);
-
-        let class_fiber = ruby.get_inner(&CLASS_FIBER);
-        let current_fiber = ruby
-            .get_inner(&CLASS_FIBER)
-            .funcall::<_, _, Value>(*ID_CURRENT, ());
-
-        if current_fiber.is_err() {
-            error!("Failed to get current fiber");
-            return Err(ItsiError::ArgumentError("Failed to get current fiber".to_string()).into());
-        }
-        let current_fiber = Opaque::from(current_fiber.unwrap());
-        let scheduler = Opaque::from(class_fiber.funcall::<_, _, Value>("scheduler", ()).unwrap());
-
-        create_ruby_thread(move || {
-            call_without_gvl(|| {
-                let outcome = work();
-                *result_clone.write() = outcome;
-            });
-
-            let ruby = Ruby::get().unwrap();
-            scheduler
-                .get_inner_with(&ruby)
-                .funcall::<_, _, Value>("unblock", (None::<String>, current_fiber))
-                .unwrap();
-        });
-
-        scheduler
-            .get_inner_with(ruby)
-            .funcall::<_, _, Value>("block", (None::<Value>, None::<u64>))?;
-
-        let result_opt = Arc::try_unwrap(result).unwrap().write().take();
-        Ok(result_opt)
-    }
-
     pub fn address_resolve(
-        ruby: &Ruby,
-        rself: &Self,
+        _ruby: &Ruby,
+        _rself: &Self,
         hostname: String,
     ) -> MagnusResult<Option<Vec<String>>> {
-        let result: Option<Vec<String>> = rself.run_blocking_in_thread(ruby, move || {
-            use std::net::ToSocketAddrs;
-            let addrs_res = (hostname.as_str(), 0).to_socket_addrs();
-            match addrs_res {
-                Ok(addrs) => {
-                    let ips: Vec<String> = addrs.map(|s| s.ip().to_string()).collect();
-                    Some(ips)
+        let result: Option<Vec<String>> = call_without_gvl(move || {
+            let hostname = CString::new(hostname).ok()?;
+            let hints = nix::libc::addrinfo {
+                ai_flags: 0,
+                ai_family: nix::libc::AF_UNSPEC,
+                ai_socktype: nix::libc::SOCK_STREAM,
+                ai_protocol: 0,
+                ai_addrlen: 0,
+                ai_addr: ptr::null_mut(),
+                ai_canonname: ptr::null_mut(),
+                ai_next: ptr::null_mut(),
+            };
+            let mut res: *mut nix::libc::addrinfo = ptr::null_mut();
+            let rc = unsafe {
+                nix::libc::getaddrinfo(hostname.as_ptr(), ptr::null(), &hints, &mut res)
+            };
+            if rc != 0 || res.is_null() {
+                return None;
+            }
+
+            let mut ips = Vec::new();
+            let mut current = res;
+            while !current.is_null() {
+                let ai = unsafe { &*current };
+                if !ai.ai_addr.is_null() {
+                    match ai.ai_family {
+                        nix::libc::AF_INET => {
+                            let addr = unsafe {
+                                &*(ai.ai_addr as *const nix::libc::sockaddr_in)
+                            };
+                            let ip = std::net::Ipv4Addr::from(u32::from_be(addr.sin_addr.s_addr));
+                            ips.push(ip.to_string());
+                        }
+                        nix::libc::AF_INET6 => {
+                            let addr = unsafe {
+                                &*(ai.ai_addr as *const nix::libc::sockaddr_in6)
+                            };
+                            let ip = std::net::Ipv6Addr::from(addr.sin6_addr.s6_addr);
+                            ips.push(ip.to_string());
+                        }
+                        _ => {}
+                    }
                 }
-                Err(_) => None,
+                current = ai.ai_next;
             }
-        })?;
+
+            unsafe {
+                nix::libc::freeaddrinfo(res);
+            }
+
+            if ips.is_empty() {
+                None
+            } else {
+                ips.sort();
+                ips.dedup();
+                Some(ips)
+            }
+        });
         Ok(result)
     }
 

data/ext/itsi_scheduler/src/lib.rs

@@ -20,8 +20,9 @@ fn init(ruby: &Ruby) -> Result<(), Error> {
     scheduler.define_method("warn", method!(ItsiScheduler::warn, 1))?;
     scheduler.define_method("start_timer", method!(ItsiScheduler::start_timer, 2))?;
     scheduler.define_method("clear_timer", method!(ItsiScheduler::clear_timer, 1))?;
+    scheduler.define_method("cancel_wait", method!(ItsiScheduler::cancel_wait, 1))?;
     scheduler.define_method(
-        "address_resolve",
+        "native_address_resolve",
         method!(ItsiScheduler::address_resolve, 1),
     )?;
     scheduler.define_method("has_pending_io?", method!(ItsiScheduler::has_pending_io, 0))?;

data/ext/itsi_server/Cargo.lock

@@ -984,7 +984,7 @@ checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
 
 [[package]]
 name = "itsi-scheduler"
-version = "0.1.0"
+version = "0.2.23"
 dependencies = [
  "bytes",
  "derive_more",
@@ -1002,7 +1002,7 @@ dependencies = [
 
 [[package]]
 name = "itsi-server"
-version = "0.1.0"
+version = "0.2.23"
 dependencies = [
  "async-channel",
  "async-trait",

data/ext/itsi_server/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "itsi-server"
-version = "0.2.26"
+version = "0.2.27"
 edition = "2021"
 authors = ["Wouter Coppieters <wc@pico.net.nz>"]
 license = "MIT"
@@ -70,6 +70,7 @@ redis = { version = "0.29.2", features = [
 ] }
 rustls = "0.23.23"
 rustls-pemfile = "2.2.0"
+webpki-roots = "0.26"
 serde = "1.0.219"
 serde_json = "1.0.140"
 serde_magnus = "0.11.0"

data/ext/itsi_server/src/lib.rs

@@ -41,6 +41,20 @@ fn init(ruby: &Ruby) -> Result<()> {
     server.define_singleton_method("reset_signal_handlers", function!(reset_signal_handlers, 0))?;
     server.define_method("start", method!(ItsiServer::start, 0))?;
     server.define_method("stop", method!(ItsiServer::stop, 0))?;
+    server.define_method("tls_bindings", method!(ItsiServer::tls_bindings, 0))?;
+    server.define_method("tls_domains", method!(ItsiServer::tls_domains, 1))?;
+    server.define_method(
+        "tls_domain_statuses",
+        method!(ItsiServer::tls_domain_statuses, 1),
+    )?;
+    server.define_method(
+        "register_tls_domain",
+        method!(ItsiServer::register_tls_domain, 2),
+    )?;
+    server.define_method(
+        "unregister_tls_domain",
+        method!(ItsiServer::unregister_tls_domain, 2),
+    )?;
 
     let request = ruby.get_inner(&ITSI_REQUEST);
     request.define_method("path", method!(ItsiHttpRequest::path, 0))?;
@@ -94,6 +108,7 @@ fn init(ruby: &Ruby) -> Result<()> {
     response.define_method("<<", method!(ItsiHttpResponse::send_frame, 1))?;
     response.define_method("write", method!(ItsiHttpResponse::send_frame, 1))?;
     response.define_method("read", method!(ItsiHttpResponse::recv_frame, 0))?;
+    response.define_method("partial_hijack", method!(ItsiHttpResponse::partial_hijack, 1))?;
     response.define_method("closed?", method!(ItsiHttpResponse::is_closed, 0))?;
     response.define_method(
         "send_and_close",

data/ext/itsi_server/src/ruby_types/itsi_grpc_call.rs

@@ -11,7 +11,6 @@ use http::{request::Parts, Response, StatusCode};
 use http_body_util::BodyExt;
 use itsi_error::CLIENT_CONNECTION_CLOSED;
 use itsi_rb_helpers::{print_rb_backtrace, HeapValue};
-use itsi_tracing::debug;
 use magnus::{
     block::Proc,
     error::{ErrorType, Result as MagnusResult},

data/ext/itsi_server/src/ruby_types/itsi_http_request.rs

@@ -211,6 +211,15 @@ impl ItsiHttpRequest {
                                 }
                             }
                         }
+                        Ok(ResponseFrame::PartialHijackedResponse(response)) => {
+                            match response.process_partial_hijacked_response().await {
+                                Ok(result) => Ok(result),
+                                Err(e) => {
+                                    error!("Error processing partial hijacked response: {}", e);
+                                    Ok(Response::new(HttpBody::empty()))
+                                }
+                            }
+                        }
                         Err(_) => {
                             error!("Failed to receive response from receiver");
                             Ok(INTERNAL_SERVER_ERROR_RESPONSE

data/ext/itsi_server/src/ruby_types/itsi_http_response.rs

@@ -23,10 +23,12 @@ use parking_lot::RwLock;
 use std::{
     collections::HashMap,
     io,
+    io::Read,
     ops::Deref,
     os::{fd::FromRawFd, unix::net::UnixStream},
     str::FromStr,
     sync::Arc,
+    thread,
     time::Duration,
 };
 use tokio::{
@@ -56,6 +58,7 @@ pub struct ResponseInner {
     pub frame_writer: RwLock<Option<Sender<Bytes>>>,
     pub response: RwLock<Option<HttpResponse>>,
     pub hijacked_socket: RwLock<Option<UnixStream>>,
+    pub partial_hijacked_socket: RwLock<Option<UnixStream>>,
     pub response_sender: RwLock<Option<OneshotSender<ResponseFrame>>>,
     pub shutdown_rx: watch::Receiver<RunningPhase>,
     pub parts: Arc<Parts>,
@@ -65,9 +68,21 @@ pub struct ResponseInner {
 pub enum ResponseFrame {
     HttpResponse(Box<HttpResponse>),
     HijackedResponse(ItsiHttpResponse),
+    PartialHijackedResponse(ItsiHttpResponse),
 }
 
 impl ItsiHttpResponse {
+    fn is_expected_bridge_shutdown(err: &io::Error) -> bool {
+        matches!(
+            err.kind(),
+            io::ErrorKind::BrokenPipe
+                | io::ErrorKind::ConnectionAborted
+                | io::ErrorKind::ConnectionReset
+                | io::ErrorKind::NotConnected
+                | io::ErrorKind::UnexpectedEof
+        )
+    }
+
     pub fn new(
         parts: Arc<Parts>,
         response_sender: OneshotSender<ResponseFrame>,
@@ -81,6 +96,7 @@ impl ItsiHttpResponse {
                 frame_writer: RwLock::new(None),
                 response: RwLock::new(Some(Response::new(HttpBody::empty()))),
                 hijacked_socket: RwLock::new(None),
+                partial_hijacked_socket: RwLock::new(None),
             }),
         }
     }
@@ -93,13 +109,17 @@ impl ItsiHttpResponse {
         let (mut cr, mut cw) = tokio::io::split(client_io);
 
         let to_ruby = tokio::spawn(async move {
-            if let Err(e) = tokio::io::copy(&mut cr, &mut lw).await {
-                eprintln!("Error copying upgraded->local: {:?}", e);
+            if let Err(err) = tokio::io::copy(&mut cr, &mut lw).await {
+                if !Self::is_expected_bridge_shutdown(&err) {
+                    eprintln!("Error copying upgraded->local: {:?}", err);
+                }
             }
         });
         let from_ruby = tokio::spawn(async move {
-            if let Err(e) = tokio::io::copy(&mut lr, &mut cw).await {
-                eprintln!("Error copying upgraded->local: {:?}", e);
+            if let Err(err) = tokio::io::copy(&mut lr, &mut cw).await {
+                if !Self::is_expected_bridge_shutdown(&err) {
+                    eprintln!("Error copying local->upgraded: {:?}", err);
+                }
             }
         });
 
@@ -219,6 +239,42 @@ impl ItsiHttpResponse {
         Ok(response)
     }
 
+    pub async fn process_partial_hijacked_response(&self) -> Result<HttpResponse> {
+        let stream =
+            self.partial_hijacked_socket
+                .write()
+                .take()
+                .ok_or(itsi_error::ItsiError::InvalidInput(
+                    "Couldn't partial hijack stream".to_owned(),
+                ))?;
+        let stream = TokioUnixStream::from_std(stream).map_err(|err| {
+            itsi_error::ItsiError::InvalidInput(format!(
+                "Couldn't prepare partial hijack stream: {:?}",
+                err
+            ))
+        })?;
+
+        let mut response = self.response.write().take().ok_or(
+            itsi_error::ItsiError::InvalidInput("Missing partial hijack response".to_owned()),
+        )?;
+        let parts = self.parts.clone();
+
+        tokio::spawn(async move {
+            let mut req = Request::from_parts((*parts).clone(), Empty::<Bytes>::new());
+            match hyper::upgrade::on(&mut req).await {
+                Ok(upgraded) => {
+                    if let Err(err) = Self::two_way_bridge(upgraded, stream).await {
+                        warn!("partial hijack bridge error: {:?}", err);
+                    }
+                }
+                Err(err) => warn!("partial hijack upgrade error: {:?}", err),
+            }
+        });
+
+        *response.body_mut() = HttpBody::empty();
+        Ok(response)
+    }
+
     pub fn internal_server_error(&self, message: String) {
         error!(message);
         self.close_write().ok();
@@ -304,6 +360,60 @@ impl ItsiHttpResponse {
         // not implemented
     }
 
+    pub fn partial_hijack(&self, fd: i32) -> MagnusResult<()> {
+        let mut stream = unsafe { UnixStream::from_raw_fd(fd) };
+        let status = self
+            .response
+            .read()
+            .as_ref()
+            .map(|response| response.status())
+            .unwrap_or(StatusCode::OK);
+
+        if status == StatusCode::SWITCHING_PROTOCOLS {
+            *self.partial_hijacked_socket.write() = Some(stream);
+            if let Some(sender) = self.response_sender.write().take() {
+                sender
+                    .send(ResponseFrame::PartialHijackedResponse(self.clone()))
+                    .ok();
+            }
+        } else if let Some(mut response) = self.response.write().take() {
+            let (writer, reader) = tokio::sync::mpsc::channel::<Bytes>(256);
+            let shutdown_rx = self.shutdown_rx.clone();
+            let frame_stream = FrameStream::new(reader, shutdown_rx);
+            let buffered =
+                BufferedStream::new(frame_stream, 32 * 1024, Duration::from_millis(10));
+            *response.body_mut() = HttpBody::stream(buffered);
+            self.frame_writer.write().replace(writer.clone());
+
+            thread::spawn(move || {
+                let mut buf = [0u8; 16 * 1024];
+                loop {
+                    match stream.read(&mut buf) {
+                        Ok(0) => break,
+                        Ok(n) => {
+                            if writer
+                                .blocking_send(Bytes::copy_from_slice(&buf[..n]))
+                                .is_err()
+                            {
+                                break;
+                            }
+                        }
+                        Err(err) if err.kind() == io::ErrorKind::Interrupted => continue,
+                        Err(_) => break,
+                    }
+                }
+            });
+
+            if let Some(sender) = self.response_sender.write().take() {
+                sender
+                    .send(ResponseFrame::HttpResponse(Box::new(response)))
+                    .ok();
+            }
+        }
+
+        Ok(())
+    }
+
     pub fn is_closed(&self) -> bool {
         self.response.read().is_none() && self.frame_writer.read().is_none()
     }

data/ext/itsi_server/src/ruby_types/itsi_server/itsi_server_config.rs

@@ -2,7 +2,7 @@ use super::file_watcher::{self, WatcherCommand};
 use crate::{
     ruby_types::ITSI_SERVER_CONFIG,
     server::{
-        binds::{bind::Bind, listener::Listener},
+        binds::{bind::Bind, listener::Listener, tls::DynamicAcmeManager},
         middleware_stack::MiddlewareSet,
     },
 };
@@ -81,6 +81,8 @@ pub struct ServerParams {
     pub binds: Vec<Bind>,
     #[debug(skip)]
     pub(crate) listeners: Mutex<Vec<Listener>>,
+    #[debug(skip)]
+    pub acme_managers: RwLock<Vec<(String, DynamicAcmeManager)>>,
     listener_info: Mutex<HashMap<String, i32>>,
     pub itsi_server_token_preference: ItsiServerTokenPreference,
     pub preloaded: AtomicBool,
@@ -348,6 +350,7 @@ impl ServerParams {
             preexisting_listeners,
             listener_info: Mutex::new(HashMap::new()),
             listeners: Mutex::new(Vec::new()),
+            acme_managers: RwLock::new(Vec::new()),
             middleware_loader: middleware_loader.into(),
             middleware: OnceLock::new(),
             preloaded: AtomicBool::new(false),
@@ -401,8 +404,26 @@ impl ServerParams {
             })
             .collect::<Result<HashMap<String, i32>>>()?;
 
+        let has_http_listener = listeners
+            .iter()
+            .any(|listener| matches!(listener, Listener::Tcp(_)));
+        let mut acme_managers = Vec::new();
+        for listener in &listeners {
+            match listener {
+                Listener::TcpTls((_, acceptor)) | Listener::UnixTls((_, acceptor)) => {
+                    acceptor.set_http01_enabled(has_http_listener);
+                    acceptor.initialize_domains();
+                    if let Some(manager) = acceptor.manager() {
+                        acme_managers.push((listener.handover()?.0, manager));
+                    }
+                }
+                Listener::Tcp(_) | Listener::Unix(_) => {}
+            }
+        }
+
         *self.listener_info.lock() = listener_info;
         *self.listeners.lock() = listeners;
+        *self.acme_managers.write() = acme_managers;
         Ok(())
     }
 }

data/ext/itsi_server/src/ruby_types/itsi_server.rs

@@ -8,6 +8,7 @@ use itsi_server_config::ItsiServerConfig;
 use itsi_tracing::{error, run_silently};
 use magnus::{block::Proc, error::Result, RHash, Ruby};
 use parking_lot::Mutex;
+use std::collections::HashMap;
 use std::{path::PathBuf, sync::Arc};
 use tracing::{info, instrument};
 mod file_watcher;
@@ -46,6 +47,105 @@ impl ItsiServer {
         Ok(())
     }
 
+    fn selected_acme_manager(
+        &self,
+        listener_id: Option<String>,
+    ) -> Result<crate::server::binds::tls::DynamicAcmeManager> {
+        let config = self.config()?;
+        let server_params = config.server_params.read();
+        if server_params.workers > 1 {
+            return Err(magnus::Error::new(
+                magnus::Ruby::get().unwrap().exception_runtime_error(),
+                "Dynamic TLS domain management currently only supports single-worker mode",
+            ));
+        }
+
+        let managers = server_params.acme_managers.read();
+        if managers.is_empty() {
+            return Err(magnus::Error::new(
+                magnus::Ruby::get().unwrap().exception_runtime_error(),
+                "No ACME-managed TLS bindings are configured",
+            ));
+        }
+
+        if let Some(listener_id) = listener_id {
+            managers
+                .iter()
+                .find(|(id, _)| id == &listener_id)
+                .map(|(_, manager)| manager.clone())
+                .ok_or_else(|| {
+                    magnus::Error::new(
+                        magnus::Ruby::get().unwrap().exception_runtime_error(),
+                        format!("Unknown ACME TLS binding: {}", listener_id),
+                    )
+                })
+        } else if managers.len() == 1 {
+            Ok(managers[0].1.clone())
+        } else {
+            Err(magnus::Error::new(
+                magnus::Ruby::get().unwrap().exception_runtime_error(),
+                "Multiple ACME TLS bindings are configured; specify a listener_id",
+            ))
+        }
+    }
+
+    pub fn tls_bindings(&self) -> Result<Vec<String>> {
+        let config = self.config()?;
+        let server_params = config.server_params.read();
+        let bindings = server_params
+            .acme_managers
+            .read()
+            .iter()
+            .map(|(listener_id, _)| listener_id.clone())
+            .collect();
+        Ok(bindings)
+    }
+
+    pub fn tls_domains(&self, listener_id: Option<String>) -> Result<Vec<String>> {
+        let manager = self.selected_acme_manager(listener_id)?;
+        Ok(manager
+            .statuses()
+            .into_iter()
+            .map(|status| status.domain)
+            .collect())
+    }
+
+    pub fn tls_domain_statuses(
+        &self,
+        listener_id: Option<String>,
+    ) -> Result<Vec<HashMap<String, String>>> {
+        let manager = self.selected_acme_manager(listener_id)?;
+        Ok(manager
+            .statuses()
+            .into_iter()
+            .map(|status| {
+                let mut out = HashMap::new();
+                out.insert("domain".to_string(), status.domain);
+                out.insert("status".to_string(), status.status);
+                if let Some(last_error) = status.last_error {
+                    out.insert("last_error".to_string(), last_error);
+                }
+                out
+            })
+            .collect())
+    }
+
+    pub fn register_tls_domain(&self, domain: String, listener_id: Option<String>) -> Result<()> {
+        let manager = self.selected_acme_manager(listener_id)?;
+        manager.register_domain(domain);
+        Ok(())
+    }
+
+    pub fn unregister_tls_domain(
+        &self,
+        domain: String,
+        listener_id: Option<String>,
+    ) -> Result<()> {
+        let manager = self.selected_acme_manager(listener_id)?;
+        manager.unregister_domain(&domain);
+        Ok(())
+    }
+
     fn config(&self) -> Result<Arc<ItsiServerConfig>> {
         self.config.lock().as_ref().cloned().ok_or_else(|| {
             magnus::Error::new(