itsi 0.1.6 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 43c8c15592c8e8e749938e5c5c4b5e481ba3ea88d82bac63059a612e35bf2213
-  data.tar.gz: e57ab7eacc32f7a0ac702be2e15ac9a36d48aff27aaa3705f77c428df2acf0f8
+  metadata.gz: 88879d13925e0738ba948eb707096da6e8b039cb317ce0975333295550725c70
+  data.tar.gz: 0eaf0dc170f15efb83428313c7b2554f1e19fe8c9dc81a8c5c4d553a03b586cd
 SHA512:
-  metadata.gz: 1ea20d0e8d9d82cb4b095674192ead9837334c5472761cce1dc093d43d829c2d71ecb74d06a667f4c8274607791bd1cd1ad12f005bf1bc8a3fa5179499a61d8f
-  data.tar.gz: c1aa8a84ebd694f3f39d287fd67e320c69f89dd35315af3203e09259c500404825790e925abd8b9a6ee26d5a97638a1d7442a9bb369653398922a42a08742498
+  metadata.gz: e37c041ee042a7d7e69f4f577864e08890aa3bb9fe855c292fc95950c9fc682d5afa0e2e74fc4bd5fb9c5cb7f60733e6e5fcf250f205742c6caec32a23399c68
+  data.tar.gz: d7c9cdd9bcde2a58192798e601a8b5a3099a76b9e924d4b58e206c11a3f015b094a0d975f4f87fd5338e3cfd05f46cd3f4684f59fb140643be85e8452be84195

data/Cargo.lock

@@ -398,6 +398,27 @@ dependencies = [
  "unicode-xid",
 ]
 
+[[package]]
+name = "dirs"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3e8aa94d75141228480295a7d0e7feb620b1a5ad9f12bc40be62411e38cce4e"
+dependencies = [
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e01a3366d27ee9890022452ee61b2b63a67e6f13f58900b651ff5665f0bb1fab"
+dependencies = [
+ "libc",
+ "option-ext",
+ "redox_users",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "displaydoc"
 version = "0.2.5"
@@ -989,6 +1010,7 @@ dependencies = [
  "bytes",
  "crossbeam",
  "derive_more",
+ "dirs",
  "fs2",
  "futures",
  "http",
@@ -1106,6 +1128,16 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "libredox"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
+dependencies = [
+ "bitflags",
+ "libc",
+]
+
 [[package]]
 name = "linux-raw-sys"
 version = "0.4.15"
@@ -1321,6 +1353,12 @@ version = "1.20.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e"
 
+[[package]]
+name = "option-ext"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
+
 [[package]]
 name = "overload"
 version = "0.1.1"
@@ -1608,6 +1646,17 @@ dependencies = [
  "bitflags",
 ]
 
+[[package]]
+name = "redox_users"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dd6f9d3d47bdd2ad6945c5015a226ec6155d0bcdfd8f7cd29f86b71f8de99d2b"
+dependencies = [
+ "getrandom 0.2.15",
+ "libredox",
+ "thiserror 2.0.11",
+]
+
 [[package]]
 name = "regex"
 version = "1.11.1"

data/crates/itsi_error/src/lib.rs

@@ -3,7 +3,7 @@ use thiserror::Error;
 
 pub type Result<T> = std::result::Result<T, ItsiError>;
 
-#[derive(Error, Debug)]
+#[derive(Error, Debug, Clone)]
 pub enum ItsiError {
     #[error("Invalid input {0}")]
     InvalidInput(String),

data/crates/itsi_server/Cargo.toml

@@ -44,3 +44,4 @@ rustls = "0.23.23"
 fs2 = "0.4.3"
 ring = "0.17.14"
 async-trait = "0.1.87"
+dirs = "6.0.0"

data/crates/itsi_server/src/env.rs

@@ -0,0 +1,43 @@
+use std::{
+    env::{var, VarError},
+    path::PathBuf,
+    sync::LazyLock,
+};
+
+type StringVar = LazyLock<String>;
+type MaybeStringVar = LazyLock<Result<String, VarError>>;
+type PathVar = LazyLock<PathBuf>;
+
+/// ACME Configuration for auto-generating production certificates
+/// *ITSI_ACME_CACHE_DIR* - Directory to store cached certificates
+/// so that these are not regenerated every time the server starts
+pub static ITSI_ACME_CACHE_DIR: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_CACHE_DIR").unwrap_or_else(|_| "./.rustls_acme_cache".to_string())
+});
+
+/// *ITSI_ACME_CONTACT_EMAIL* - Contact Email address to provide to ACME server during certificate renewal
+pub static ITSI_ACME_CONTACT_EMAIL: MaybeStringVar =
+    LazyLock::new(|| var("ITSI_ACME_CONTACT_EMAIL"));
+
+/// *ITSI_ACME_CA_PEM_PATH* - Optional CA Pem path, used for testing with non-trusted CAs for certifcate generation.
+pub static ITSI_ACME_CA_PEM_PATH: MaybeStringVar = LazyLock::new(|| var("ITSI_ACME_CA_PEM_PATH"));
+
+/// *ITSI_ACME_DIRECTORY_URL* - Directory URL to use for ACME certificate generation.
+pub static ITSI_ACME_DIRECTORY_URL: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_DIRECTORY_URL")
+        .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string())
+});
+
+/// *ITSI_ACME_LOCK_FILE_NAME* - Name of the lock file used to prevent concurrent certificate generation.
+pub static ITSI_ACME_LOCK_FILE_NAME: StringVar =
+    LazyLock::new(|| var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+
+pub static ITSI_LOCAL_CA_DIR: PathVar = LazyLock::new(|| {
+    var("ITSI_LOCAL_CA_DIR")
+        .map(PathBuf::from)
+        .unwrap_or_else(|_| {
+            dirs::home_dir()
+                .expect("Failed to find HOME directory when initializing ITSI_LOCAL_CA_DIR")
+                .join(".itsi")
+        })
+});

data/crates/itsi_server/src/lib.rs

@@ -6,6 +6,7 @@ use server::{itsi_server::Server, signal::reset_signal_handlers};
 use tracing::*;
 
 pub mod body_proxy;
+pub mod env;
 pub mod request;
 pub mod response;
 pub mod server;

data/crates/itsi_server/src/server/tls/locked_dir_cache.rs

@@ -1,13 +1,14 @@
 use async_trait::async_trait;
 use fs2::FileExt;
 use parking_lot::Mutex;
-use std::env;
 use std::fs::{self, OpenOptions};
 use std::io::Error as IoError;
 use std::path::{Path, PathBuf};
 use tokio_rustls_acme::caches::DirCache;
 use tokio_rustls_acme::{AccountCache, CertCache};
 
+use crate::env::ITSI_ACME_LOCK_FILE_NAME;
+
 /// A wrapper around DirCache that locks a file before writing cert/account data.
 pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
     inner: DirCache<P>,
@@ -19,8 +20,7 @@ impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
     pub fn new(dir: P) -> Self {
         let dir_path = dir.as_ref().to_path_buf();
         std::fs::create_dir_all(&dir_path).unwrap();
-        let lock_path =
-            dir_path.join(env::var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+        let lock_path = dir_path.join(&*ITSI_ACME_LOCK_FILE_NAME);
         Self::touch_file(&lock_path).expect("Failed to create lock file");
 
         Self {

data/crates/itsi_server/src/server/tls.rs

@@ -2,7 +2,9 @@ use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
 use itsi_tracing::info;
 use locked_dir_cache::LockedDirCache;
-use rcgen::{CertificateParams, DnType, KeyPair, SanType};
+use rcgen::{
+    generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
+};
 use rustls::{
     pki_types::{CertificateDer, PrivateKeyDer},
     ClientConfig, RootCertStore,
@@ -10,16 +12,19 @@ use rustls::{
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     collections::HashMap,
-    env, fs,
+    fs,
     io::{BufReader, Error},
     sync::Arc,
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
 use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+
+use crate::env::{
+    ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
+    ITSI_LOCAL_CA_DIR,
+};
 mod locked_dir_cache;
-const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
-const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
 #[derive(Clone)]
 pub enum ItsiTlsAcceptor {
@@ -31,11 +36,12 @@ pub enum ItsiTlsAcceptor {
     ),
 }
 
-// Generates a TLS configuration based on either :
-// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
-// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
-// If a non-local host or optional domain parameter is provided,
-// an automated certificate will attempt to be fetched using let's encrypt.
+/// Generates a TLS configuration based on either :
+/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
+/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
+///
+/// If a non-local host or optional domain parameter is provided,
+/// an automated certificate will attempt to be fetched using let's encrypt.
 pub fn configure_tls(
     host: &str,
     query_params: &HashMap<String, String>,
@@ -44,17 +50,27 @@ pub fn configure_tls(
         .get("domains")
         .map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
 
-    if query_params.get("cert").is_none() || query_params.get("key").is_none() {
+    if query_params.get("cert").is_some_and(|c| c == "auto") {
         if let Some(domains) = domains {
-            let directory_url = env::var("ACME_DIRECTORY_URL")
-                .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string());
+            let directory_url = &*ITSI_ACME_DIRECTORY_URL;
             info!(
                 domains = format!("{:?}", domains),
                 directory_url, "Requesting acme cert"
             );
 
-            let mut root_cert_store = RootCertStore::empty();
-            if let Ok(ca_pem_path) = env::var("ITSI_ACME_CA_PEM_PATH") {
+            let acme_config = AcmeConfig::new(domains)
+                .contact([format!("mailto:{}", (*ITSI_ACME_CONTACT_EMAIL).as_ref().map_err(|_| {
+                    itsi_error::ItsiError::ArgumentError(
+                      "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
+                          .to_string(),
+                  )
+                })?)])
+                .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
+                .directory(directory_url);
+
+            let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
+                let mut root_cert_store = RootCertStore::empty();
+
                 let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
                 let mut ca_reader = BufReader::new(&ca_pem[..]);
                 let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
@@ -66,31 +82,23 @@ pub fn configure_tls(
                         ))
                     })?;
                 root_cert_store.add_parsable_certificates(der_certs);
-            }
 
-            let client_config = ClientConfig::builder()
-                .with_root_certificates(root_cert_store)
-                .with_no_client_auth();
-
-            let contact_email = env::var("ITSI_ACME_CONTACT_EMAIL").map_err(|_| {
-                itsi_error::ItsiError::ArgumentError(
-                    "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
-                        .to_string(),
-                )
-            })?;
-
-            let cache_dir = env::var("ITSI_ACME_CACHE_DIR")
-                .unwrap_or_else(|_| "./.rustls_acme_cache".to_string());
-
-            let acme_state = AcmeConfig::new(domains)
-                .contact([format!("mailto:{}", contact_email)])
-                .cache(LockedDirCache::new(cache_dir))
-                .directory(directory_url)
-                .client_tls_config(Arc::new(client_config))
-                .state();
-            let rustls_config = ServerConfig::builder()
+                let client_config = ClientConfig::builder()
+                    .with_root_certificates(root_cert_store)
+                    .with_no_client_auth();
+                acme_config
+                    .client_tls_config(Arc::new(client_config))
+                    .state()
+            } else {
+                acme_config.state()
+            };
+
+            let mut rustls_config = ServerConfig::builder()
                 .with_no_client_auth()
                 .with_cert_resolver(acme_state.resolver());
+
+            rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
             let acceptor = acme_state.acceptor();
             return Ok(ItsiTlsAcceptor::Automatic(
                 acceptor,
@@ -107,7 +115,7 @@ pub fn configure_tls(
         let key = load_private_key(key_path);
         (certs, key)
     } else {
-        generate_ca_signed_cert(vec![host.to_owned()])?
+        generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
     };
 
     let mut config = ServerConfig::builder()
@@ -179,9 +187,10 @@ pub fn generate_ca_signed_cert(
     domains: Vec<String>,
 ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
     info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
+    let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
 
-    let ca_kp = KeyPair::from_pem(ITS_CA_KEY).expect("Failed to load embedded CA key");
-    let ca_cert = CertificateParams::from_ca_cert_pem(ITS_CA_CERT)
+    let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
+    let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
         .expect("Failed to parse embedded CA certificate")
         .self_signed(&ca_kp)
         .expect("Failed to self-sign embedded CA cert");
@@ -221,3 +230,29 @@ pub fn generate_ca_signed_cert(
         PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
     ))
 }
+
+fn get_or_create_local_dev_ca() -> Result<(String, String)> {
+    let ca_dir = &*ITSI_LOCAL_CA_DIR;
+    fs::create_dir_all(ca_dir)?;
+
+    let key_path = ca_dir.join("itsi_dev_ca.key");
+    let cert_path = ca_dir.join("itsi_dev_ca.crt");
+
+    if key_path.exists() && cert_path.exists() {
+        // Already have a local CA
+        let key_pem = fs::read_to_string(&key_path)?;
+        let cert_pem = fs::read_to_string(&cert_path)?;
+
+        Ok((key_pem, cert_pem))
+    } else {
+        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+
+        let CertifiedKey { cert, key_pair } =
+            generate_simple_self_signed(subject_alt_names).unwrap();
+
+        fs::write(&key_path, key_pair.serialize_pem())?;
+        fs::write(&cert_path, cert.pem())?;
+
+        Ok((key_pair.serialize_pem(), cert.pem()))
+    }
+}

data/gems/scheduler/ext/itsi_error/src/lib.rs

@@ -3,7 +3,7 @@ use thiserror::Error;
 
 pub type Result<T> = std::result::Result<T, ItsiError>;
 
-#[derive(Error, Debug)]
+#[derive(Error, Debug, Clone)]
 pub enum ItsiError {
     #[error("Invalid input {0}")]
     InvalidInput(String),

data/gems/scheduler/ext/itsi_server/Cargo.toml

@@ -44,3 +44,4 @@ rustls = "0.23.23"
 fs2 = "0.4.3"
 ring = "0.17.14"
 async-trait = "0.1.87"
+dirs = "6.0.0"

data/gems/scheduler/ext/itsi_server/src/env.rs

@@ -0,0 +1,43 @@
+use std::{
+    env::{var, VarError},
+    path::PathBuf,
+    sync::LazyLock,
+};
+
+type StringVar = LazyLock<String>;
+type MaybeStringVar = LazyLock<Result<String, VarError>>;
+type PathVar = LazyLock<PathBuf>;
+
+/// ACME Configuration for auto-generating production certificates
+/// *ITSI_ACME_CACHE_DIR* - Directory to store cached certificates
+/// so that these are not regenerated every time the server starts
+pub static ITSI_ACME_CACHE_DIR: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_CACHE_DIR").unwrap_or_else(|_| "./.rustls_acme_cache".to_string())
+});
+
+/// *ITSI_ACME_CONTACT_EMAIL* - Contact Email address to provide to ACME server during certificate renewal
+pub static ITSI_ACME_CONTACT_EMAIL: MaybeStringVar =
+    LazyLock::new(|| var("ITSI_ACME_CONTACT_EMAIL"));
+
+/// *ITSI_ACME_CA_PEM_PATH* - Optional CA Pem path, used for testing with non-trusted CAs for certifcate generation.
+pub static ITSI_ACME_CA_PEM_PATH: MaybeStringVar = LazyLock::new(|| var("ITSI_ACME_CA_PEM_PATH"));
+
+/// *ITSI_ACME_DIRECTORY_URL* - Directory URL to use for ACME certificate generation.
+pub static ITSI_ACME_DIRECTORY_URL: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_DIRECTORY_URL")
+        .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string())
+});
+
+/// *ITSI_ACME_LOCK_FILE_NAME* - Name of the lock file used to prevent concurrent certificate generation.
+pub static ITSI_ACME_LOCK_FILE_NAME: StringVar =
+    LazyLock::new(|| var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+
+pub static ITSI_LOCAL_CA_DIR: PathVar = LazyLock::new(|| {
+    var("ITSI_LOCAL_CA_DIR")
+        .map(PathBuf::from)
+        .unwrap_or_else(|_| {
+            dirs::home_dir()
+                .expect("Failed to find HOME directory when initializing ITSI_LOCAL_CA_DIR")
+                .join(".itsi")
+        })
+});

data/gems/scheduler/ext/itsi_server/src/lib.rs

@@ -6,6 +6,7 @@ use server::{itsi_server::Server, signal::reset_signal_handlers};
 use tracing::*;
 
 pub mod body_proxy;
+pub mod env;
 pub mod request;
 pub mod response;
 pub mod server;

data/gems/scheduler/ext/itsi_server/src/server/tls/locked_dir_cache.rs

@@ -1,13 +1,14 @@
 use async_trait::async_trait;
 use fs2::FileExt;
 use parking_lot::Mutex;
-use std::env;
 use std::fs::{self, OpenOptions};
 use std::io::Error as IoError;
 use std::path::{Path, PathBuf};
 use tokio_rustls_acme::caches::DirCache;
 use tokio_rustls_acme::{AccountCache, CertCache};
 
+use crate::env::ITSI_ACME_LOCK_FILE_NAME;
+
 /// A wrapper around DirCache that locks a file before writing cert/account data.
 pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
     inner: DirCache<P>,
@@ -19,8 +20,7 @@ impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
     pub fn new(dir: P) -> Self {
         let dir_path = dir.as_ref().to_path_buf();
         std::fs::create_dir_all(&dir_path).unwrap();
-        let lock_path =
-            dir_path.join(env::var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+        let lock_path = dir_path.join(&*ITSI_ACME_LOCK_FILE_NAME);
         Self::touch_file(&lock_path).expect("Failed to create lock file");
 
         Self {

data/gems/scheduler/ext/itsi_server/src/server/tls.rs

@@ -2,7 +2,9 @@ use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
 use itsi_tracing::info;
 use locked_dir_cache::LockedDirCache;
-use rcgen::{CertificateParams, DnType, KeyPair, SanType};
+use rcgen::{
+    generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
+};
 use rustls::{
     pki_types::{CertificateDer, PrivateKeyDer},
     ClientConfig, RootCertStore,
@@ -10,16 +12,19 @@ use rustls::{
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     collections::HashMap,
-    env, fs,
+    fs,
     io::{BufReader, Error},
     sync::Arc,
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
 use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+
+use crate::env::{
+    ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
+    ITSI_LOCAL_CA_DIR,
+};
 mod locked_dir_cache;
-const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
-const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
 #[derive(Clone)]
 pub enum ItsiTlsAcceptor {
@@ -31,11 +36,12 @@ pub enum ItsiTlsAcceptor {
     ),
 }
 
-// Generates a TLS configuration based on either :
-// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
-// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
-// If a non-local host or optional domain parameter is provided,
-// an automated certificate will attempt to be fetched using let's encrypt.
+/// Generates a TLS configuration based on either :
+/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
+/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
+///
+/// If a non-local host or optional domain parameter is provided,
+/// an automated certificate will attempt to be fetched using let's encrypt.
 pub fn configure_tls(
     host: &str,
     query_params: &HashMap<String, String>,
@@ -44,17 +50,27 @@ pub fn configure_tls(
         .get("domains")
         .map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
 
-    if query_params.get("cert").is_none() || query_params.get("key").is_none() {
+    if query_params.get("cert").is_some_and(|c| c == "auto") {
         if let Some(domains) = domains {
-            let directory_url = env::var("ACME_DIRECTORY_URL")
-                .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string());
+            let directory_url = &*ITSI_ACME_DIRECTORY_URL;
             info!(
                 domains = format!("{:?}", domains),
                 directory_url, "Requesting acme cert"
             );
 
-            let mut root_cert_store = RootCertStore::empty();
-            if let Ok(ca_pem_path) = env::var("ITSI_ACME_CA_PEM_PATH") {
+            let acme_config = AcmeConfig::new(domains)
+                .contact([format!("mailto:{}", (*ITSI_ACME_CONTACT_EMAIL).as_ref().map_err(|_| {
+                    itsi_error::ItsiError::ArgumentError(
+                      "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
+                          .to_string(),
+                  )
+                })?)])
+                .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
+                .directory(directory_url);
+
+            let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
+                let mut root_cert_store = RootCertStore::empty();
+
                 let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
                 let mut ca_reader = BufReader::new(&ca_pem[..]);
                 let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
@@ -66,31 +82,23 @@ pub fn configure_tls(
                         ))
                     })?;
                 root_cert_store.add_parsable_certificates(der_certs);
-            }
 
-            let client_config = ClientConfig::builder()
-                .with_root_certificates(root_cert_store)
-                .with_no_client_auth();
-
-            let contact_email = env::var("ITSI_ACME_CONTACT_EMAIL").map_err(|_| {
-                itsi_error::ItsiError::ArgumentError(
-                    "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
-                        .to_string(),
-                )
-            })?;
-
-            let cache_dir = env::var("ITSI_ACME_CACHE_DIR")
-                .unwrap_or_else(|_| "./.rustls_acme_cache".to_string());
-
-            let acme_state = AcmeConfig::new(domains)
-                .contact([format!("mailto:{}", contact_email)])
-                .cache(LockedDirCache::new(cache_dir))
-                .directory(directory_url)
-                .client_tls_config(Arc::new(client_config))
-                .state();
-            let rustls_config = ServerConfig::builder()
+                let client_config = ClientConfig::builder()
+                    .with_root_certificates(root_cert_store)
+                    .with_no_client_auth();
+                acme_config
+                    .client_tls_config(Arc::new(client_config))
+                    .state()
+            } else {
+                acme_config.state()
+            };
+
+            let mut rustls_config = ServerConfig::builder()
                 .with_no_client_auth()
                 .with_cert_resolver(acme_state.resolver());
+
+            rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
             let acceptor = acme_state.acceptor();
             return Ok(ItsiTlsAcceptor::Automatic(
                 acceptor,
@@ -107,7 +115,7 @@ pub fn configure_tls(
         let key = load_private_key(key_path);
         (certs, key)
     } else {
-        generate_ca_signed_cert(vec![host.to_owned()])?
+        generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
     };
 
     let mut config = ServerConfig::builder()
@@ -179,9 +187,10 @@ pub fn generate_ca_signed_cert(
     domains: Vec<String>,
 ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
     info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
+    let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
 
-    let ca_kp = KeyPair::from_pem(ITS_CA_KEY).expect("Failed to load embedded CA key");
-    let ca_cert = CertificateParams::from_ca_cert_pem(ITS_CA_CERT)
+    let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
+    let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
         .expect("Failed to parse embedded CA certificate")
         .self_signed(&ca_kp)
         .expect("Failed to self-sign embedded CA cert");
@@ -221,3 +230,29 @@ pub fn generate_ca_signed_cert(
         PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
     ))
 }
+
+fn get_or_create_local_dev_ca() -> Result<(String, String)> {
+    let ca_dir = &*ITSI_LOCAL_CA_DIR;
+    fs::create_dir_all(ca_dir)?;
+
+    let key_path = ca_dir.join("itsi_dev_ca.key");
+    let cert_path = ca_dir.join("itsi_dev_ca.crt");
+
+    if key_path.exists() && cert_path.exists() {
+        // Already have a local CA
+        let key_pem = fs::read_to_string(&key_path)?;
+        let cert_pem = fs::read_to_string(&cert_path)?;
+
+        Ok((key_pem, cert_pem))
+    } else {
+        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+
+        let CertifiedKey { cert, key_pair } =
+            generate_simple_self_signed(subject_alt_names).unwrap();
+
+        fs::write(&key_path, key_pair.serialize_pem())?;
+        fs::write(&cert_path, cert.pem())?;
+
+        Ok((key_pair.serialize_pem(), cert.pem()))
+    }
+}

data/gems/scheduler/lib/itsi/scheduler/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Scheduler
-    VERSION = "0.1.6"
+    VERSION = "0.1.7"
   end
 end

data/gems/server/ext/itsi_error/src/lib.rs

@@ -3,7 +3,7 @@ use thiserror::Error;
 
 pub type Result<T> = std::result::Result<T, ItsiError>;
 
-#[derive(Error, Debug)]
+#[derive(Error, Debug, Clone)]
 pub enum ItsiError {
     #[error("Invalid input {0}")]
     InvalidInput(String),

data/gems/server/ext/itsi_server/Cargo.toml

@@ -44,3 +44,4 @@ rustls = "0.23.23"
 fs2 = "0.4.3"
 ring = "0.17.14"
 async-trait = "0.1.87"
+dirs = "6.0.0"

data/gems/server/ext/itsi_server/src/env.rs

@@ -0,0 +1,43 @@
+use std::{
+    env::{var, VarError},
+    path::PathBuf,
+    sync::LazyLock,
+};
+
+type StringVar = LazyLock<String>;
+type MaybeStringVar = LazyLock<Result<String, VarError>>;
+type PathVar = LazyLock<PathBuf>;
+
+/// ACME Configuration for auto-generating production certificates
+/// *ITSI_ACME_CACHE_DIR* - Directory to store cached certificates
+/// so that these are not regenerated every time the server starts
+pub static ITSI_ACME_CACHE_DIR: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_CACHE_DIR").unwrap_or_else(|_| "./.rustls_acme_cache".to_string())
+});
+
+/// *ITSI_ACME_CONTACT_EMAIL* - Contact Email address to provide to ACME server during certificate renewal
+pub static ITSI_ACME_CONTACT_EMAIL: MaybeStringVar =
+    LazyLock::new(|| var("ITSI_ACME_CONTACT_EMAIL"));
+
+/// *ITSI_ACME_CA_PEM_PATH* - Optional CA Pem path, used for testing with non-trusted CAs for certifcate generation.
+pub static ITSI_ACME_CA_PEM_PATH: MaybeStringVar = LazyLock::new(|| var("ITSI_ACME_CA_PEM_PATH"));
+
+/// *ITSI_ACME_DIRECTORY_URL* - Directory URL to use for ACME certificate generation.
+pub static ITSI_ACME_DIRECTORY_URL: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_DIRECTORY_URL")
+        .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string())
+});
+
+/// *ITSI_ACME_LOCK_FILE_NAME* - Name of the lock file used to prevent concurrent certificate generation.
+pub static ITSI_ACME_LOCK_FILE_NAME: StringVar =
+    LazyLock::new(|| var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+
+pub static ITSI_LOCAL_CA_DIR: PathVar = LazyLock::new(|| {
+    var("ITSI_LOCAL_CA_DIR")
+        .map(PathBuf::from)
+        .unwrap_or_else(|_| {
+            dirs::home_dir()
+                .expect("Failed to find HOME directory when initializing ITSI_LOCAL_CA_DIR")
+                .join(".itsi")
+        })
+});

data/gems/server/ext/itsi_server/src/lib.rs

@@ -6,6 +6,7 @@ use server::{itsi_server::Server, signal::reset_signal_handlers};
 use tracing::*;
 
 pub mod body_proxy;
+pub mod env;
 pub mod request;
 pub mod response;
 pub mod server;

data/gems/server/ext/itsi_server/src/server/tls/locked_dir_cache.rs

@@ -1,13 +1,14 @@
 use async_trait::async_trait;
 use fs2::FileExt;
 use parking_lot::Mutex;
-use std::env;
 use std::fs::{self, OpenOptions};
 use std::io::Error as IoError;
 use std::path::{Path, PathBuf};
 use tokio_rustls_acme::caches::DirCache;
 use tokio_rustls_acme::{AccountCache, CertCache};
 
+use crate::env::ITSI_ACME_LOCK_FILE_NAME;
+
 /// A wrapper around DirCache that locks a file before writing cert/account data.
 pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
     inner: DirCache<P>,
@@ -19,8 +20,7 @@ impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
     pub fn new(dir: P) -> Self {
         let dir_path = dir.as_ref().to_path_buf();
         std::fs::create_dir_all(&dir_path).unwrap();
-        let lock_path =
-            dir_path.join(env::var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+        let lock_path = dir_path.join(&*ITSI_ACME_LOCK_FILE_NAME);
         Self::touch_file(&lock_path).expect("Failed to create lock file");
 
         Self {

data/gems/server/ext/itsi_server/src/server/tls.rs

@@ -2,7 +2,9 @@ use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
 use itsi_tracing::info;
 use locked_dir_cache::LockedDirCache;
-use rcgen::{CertificateParams, DnType, KeyPair, SanType};
+use rcgen::{
+    generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
+};
 use rustls::{
     pki_types::{CertificateDer, PrivateKeyDer},
     ClientConfig, RootCertStore,
@@ -10,16 +12,19 @@ use rustls::{
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     collections::HashMap,
-    env, fs,
+    fs,
     io::{BufReader, Error},
     sync::Arc,
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
 use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+
+use crate::env::{
+    ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
+    ITSI_LOCAL_CA_DIR,
+};
 mod locked_dir_cache;
-const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
-const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
 #[derive(Clone)]
 pub enum ItsiTlsAcceptor {
@@ -31,11 +36,12 @@ pub enum ItsiTlsAcceptor {
     ),
 }
 
-// Generates a TLS configuration based on either :
-// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
-// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
-// If a non-local host or optional domain parameter is provided,
-// an automated certificate will attempt to be fetched using let's encrypt.
+/// Generates a TLS configuration based on either :
+/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
+/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
+///
+/// If a non-local host or optional domain parameter is provided,
+/// an automated certificate will attempt to be fetched using let's encrypt.
 pub fn configure_tls(
     host: &str,
     query_params: &HashMap<String, String>,
@@ -44,17 +50,27 @@ pub fn configure_tls(
         .get("domains")
         .map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
 
-    if query_params.get("cert").is_none() || query_params.get("key").is_none() {
+    if query_params.get("cert").is_some_and(|c| c == "auto") {
         if let Some(domains) = domains {
-            let directory_url = env::var("ACME_DIRECTORY_URL")
-                .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string());
+            let directory_url = &*ITSI_ACME_DIRECTORY_URL;
             info!(
                 domains = format!("{:?}", domains),
                 directory_url, "Requesting acme cert"
             );
 
-            let mut root_cert_store = RootCertStore::empty();
-            if let Ok(ca_pem_path) = env::var("ITSI_ACME_CA_PEM_PATH") {
+            let acme_config = AcmeConfig::new(domains)
+                .contact([format!("mailto:{}", (*ITSI_ACME_CONTACT_EMAIL).as_ref().map_err(|_| {
+                    itsi_error::ItsiError::ArgumentError(
+                      "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
+                          .to_string(),
+                  )
+                })?)])
+                .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
+                .directory(directory_url);
+
+            let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
+                let mut root_cert_store = RootCertStore::empty();
+
                 let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
                 let mut ca_reader = BufReader::new(&ca_pem[..]);
                 let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
@@ -66,31 +82,23 @@ pub fn configure_tls(
                         ))
                     })?;
                 root_cert_store.add_parsable_certificates(der_certs);
-            }
 
-            let client_config = ClientConfig::builder()
-                .with_root_certificates(root_cert_store)
-                .with_no_client_auth();
-
-            let contact_email = env::var("ITSI_ACME_CONTACT_EMAIL").map_err(|_| {
-                itsi_error::ItsiError::ArgumentError(
-                    "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
-                        .to_string(),
-                )
-            })?;
-
-            let cache_dir = env::var("ITSI_ACME_CACHE_DIR")
-                .unwrap_or_else(|_| "./.rustls_acme_cache".to_string());
-
-            let acme_state = AcmeConfig::new(domains)
-                .contact([format!("mailto:{}", contact_email)])
-                .cache(LockedDirCache::new(cache_dir))
-                .directory(directory_url)
-                .client_tls_config(Arc::new(client_config))
-                .state();
-            let rustls_config = ServerConfig::builder()
+                let client_config = ClientConfig::builder()
+                    .with_root_certificates(root_cert_store)
+                    .with_no_client_auth();
+                acme_config
+                    .client_tls_config(Arc::new(client_config))
+                    .state()
+            } else {
+                acme_config.state()
+            };
+
+            let mut rustls_config = ServerConfig::builder()
                 .with_no_client_auth()
                 .with_cert_resolver(acme_state.resolver());
+
+            rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
             let acceptor = acme_state.acceptor();
             return Ok(ItsiTlsAcceptor::Automatic(
                 acceptor,
@@ -107,7 +115,7 @@ pub fn configure_tls(
         let key = load_private_key(key_path);
         (certs, key)
     } else {
-        generate_ca_signed_cert(vec![host.to_owned()])?
+        generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
     };
 
     let mut config = ServerConfig::builder()
@@ -179,9 +187,10 @@ pub fn generate_ca_signed_cert(
     domains: Vec<String>,
 ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
     info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
+    let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
 
-    let ca_kp = KeyPair::from_pem(ITS_CA_KEY).expect("Failed to load embedded CA key");
-    let ca_cert = CertificateParams::from_ca_cert_pem(ITS_CA_CERT)
+    let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
+    let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
         .expect("Failed to parse embedded CA certificate")
         .self_signed(&ca_kp)
         .expect("Failed to self-sign embedded CA cert");
@@ -221,3 +230,29 @@ pub fn generate_ca_signed_cert(
         PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
     ))
 }
+
+fn get_or_create_local_dev_ca() -> Result<(String, String)> {
+    let ca_dir = &*ITSI_LOCAL_CA_DIR;
+    fs::create_dir_all(ca_dir)?;
+
+    let key_path = ca_dir.join("itsi_dev_ca.key");
+    let cert_path = ca_dir.join("itsi_dev_ca.crt");
+
+    if key_path.exists() && cert_path.exists() {
+        // Already have a local CA
+        let key_pem = fs::read_to_string(&key_path)?;
+        let cert_pem = fs::read_to_string(&cert_path)?;
+
+        Ok((key_pem, cert_pem))
+    } else {
+        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+
+        let CertifiedKey { cert, key_pair } =
+            generate_simple_self_signed(subject_alt_names).unwrap();
+
+        fs::write(&key_path, key_pair.serialize_pem())?;
+        fs::write(&cert_path, cert.pem())?;
+
+        Ok((key_pair.serialize_pem(), cert.pem()))
+    }
+}

data/gems/server/lib/itsi/server/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Server
-    VERSION = "0.1.6"
+    VERSION = "0.1.7"
   end
 end

data/lib/itsi/version.rb

@@ -1,3 +1,3 @@
 module Itsi
-  VERSION = "0.1.6"
+  VERSION = "0.1.7"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: itsi
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.1.7
 platform: ruby
 authors:
 - Wouter Coppieters
 bindir: exe
 cert_chain: []
-date: 2025-03-14 00:00:00.000000000 Z
+date: 2025-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: itsi-server
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.6
+        version: 0.1.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.6
+        version: 0.1.7
 - !ruby/object:Gem::Dependency
   name: itsi-scheduler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.6
+        version: 0.1.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.6
+        version: 0.1.7
 description: Wrapper Gem for both the Itsi server and it's Fiber scheduler
 email:
 - wc@pico.net.nz
@@ -70,6 +70,7 @@ files:
 - crates/itsi_server/src/body_proxy/big_bytes.rs
 - crates/itsi_server/src/body_proxy/itsi_body_proxy.rs
 - crates/itsi_server/src/body_proxy/mod.rs
+- crates/itsi_server/src/env.rs
 - crates/itsi_server/src/lib.rs
 - crates/itsi_server/src/request/itsi_request.rs
 - crates/itsi_server/src/request/mod.rs
@@ -78,8 +79,6 @@ files:
 - crates/itsi_server/src/server/bind.rs
 - crates/itsi_server/src/server/bind_protocol.rs
 - crates/itsi_server/src/server/io_stream.rs
-- crates/itsi_server/src/server/itsi_ca/itsi_ca.crt
-- crates/itsi_server/src/server/itsi_ca/itsi_ca.key
 - crates/itsi_server/src/server/itsi_server.rs
 - crates/itsi_server/src/server/lifecycle_event.rs
 - crates/itsi_server/src/server/listener.rs
@@ -128,6 +127,7 @@ files:
 - gems/scheduler/ext/itsi_server/src/body_proxy/big_bytes.rs
 - gems/scheduler/ext/itsi_server/src/body_proxy/itsi_body_proxy.rs
 - gems/scheduler/ext/itsi_server/src/body_proxy/mod.rs
+- gems/scheduler/ext/itsi_server/src/env.rs
 - gems/scheduler/ext/itsi_server/src/lib.rs
 - gems/scheduler/ext/itsi_server/src/request/itsi_request.rs
 - gems/scheduler/ext/itsi_server/src/request/mod.rs
@@ -136,8 +136,6 @@ files:
 - gems/scheduler/ext/itsi_server/src/server/bind.rs
 - gems/scheduler/ext/itsi_server/src/server/bind_protocol.rs
 - gems/scheduler/ext/itsi_server/src/server/io_stream.rs
-- gems/scheduler/ext/itsi_server/src/server/itsi_ca/itsi_ca.crt
-- gems/scheduler/ext/itsi_server/src/server/itsi_ca/itsi_ca.key
 - gems/scheduler/ext/itsi_server/src/server/itsi_server.rs
 - gems/scheduler/ext/itsi_server/src/server/lifecycle_event.rs
 - gems/scheduler/ext/itsi_server/src/server/listener.rs
@@ -199,6 +197,7 @@ files:
 - gems/server/ext/itsi_server/src/body_proxy/big_bytes.rs
 - gems/server/ext/itsi_server/src/body_proxy/itsi_body_proxy.rs
 - gems/server/ext/itsi_server/src/body_proxy/mod.rs
+- gems/server/ext/itsi_server/src/env.rs
 - gems/server/ext/itsi_server/src/lib.rs
 - gems/server/ext/itsi_server/src/request/itsi_request.rs
 - gems/server/ext/itsi_server/src/request/mod.rs
@@ -207,8 +206,6 @@ files:
 - gems/server/ext/itsi_server/src/server/bind.rs
 - gems/server/ext/itsi_server/src/server/bind_protocol.rs
 - gems/server/ext/itsi_server/src/server/io_stream.rs
-- gems/server/ext/itsi_server/src/server/itsi_ca/itsi_ca.crt
-- gems/server/ext/itsi_server/src/server/itsi_ca/itsi_ca.key
 - gems/server/ext/itsi_server/src/server/itsi_server.rs
 - gems/server/ext/itsi_server/src/server/lifecycle_event.rs
 - gems/server/ext/itsi_server/src/server/listener.rs

data/crates/itsi_server/src/server/itsi_ca/itsi_ca.crt

@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB9TCCAZugAwIBAgIUMpQtAScU2Ow9c1Xy/0b/kS/BuwcwCgYIKoZIzj0EAwIw
-UDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kxDTALBgNVBAcMBEl0c2kxEDAO
-BgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2kuZnlpMB4XDTI1MDMwMzIwMjg1
-N1oXDTM1MDMwMTIwMjg1N1owUDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kx
-DTALBgNVBAcMBEl0c2kxEDAOBgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2ku
-ZnlpMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqGdC9Vi1r7ARvqSkPXkAgiV5
-gn2MMTeEafagrWT7G1onSh/G+Qstxl61kfFNLOTiy6NSgAtKG+gfveCTo0Pcz6NT
-MFEwHQYDVR0OBBYEFN7zzDodmiK2VAzLDydDvb6Er+U+MB8GA1UdIwQYMBaAFN7z
-zDodmiK2VAzLDydDvb6Er+U+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwID
-SAAwRQIhAP8q3PiwqTwCbRvYvvetxH39mAce1mfQMosb33ns228VAiBXdb+p9s0o
-5ug5g9/MTvrIPI7GgolXCWZunkouy0LSrw==
------END CERTIFICATE-----

data/crates/itsi_server/src/server/itsi_ca/itsi_ca.key

@@ -1,5 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgC7WOxDmO7pBvDvYn
-YI8+z2/2c0ChxBsuJkQq/dXi1RyhRANCAASoZ0L1WLWvsBG+pKQ9eQCCJXmCfYwx
-N4Rp9qCtZPsbWidKH8b5Cy3GXrWR8U0s5OLLo1KAC0ob6B+94JOjQ9zP
------END PRIVATE KEY-----

data/gems/scheduler/ext/itsi_server/src/server/itsi_ca/itsi_ca.crt

@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB9TCCAZugAwIBAgIUMpQtAScU2Ow9c1Xy/0b/kS/BuwcwCgYIKoZIzj0EAwIw
-UDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kxDTALBgNVBAcMBEl0c2kxEDAO
-BgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2kuZnlpMB4XDTI1MDMwMzIwMjg1
-N1oXDTM1MDMwMTIwMjg1N1owUDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kx
-DTALBgNVBAcMBEl0c2kxEDAOBgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2ku
-ZnlpMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqGdC9Vi1r7ARvqSkPXkAgiV5
-gn2MMTeEafagrWT7G1onSh/G+Qstxl61kfFNLOTiy6NSgAtKG+gfveCTo0Pcz6NT
-MFEwHQYDVR0OBBYEFN7zzDodmiK2VAzLDydDvb6Er+U+MB8GA1UdIwQYMBaAFN7z
-zDodmiK2VAzLDydDvb6Er+U+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwID
-SAAwRQIhAP8q3PiwqTwCbRvYvvetxH39mAce1mfQMosb33ns228VAiBXdb+p9s0o
-5ug5g9/MTvrIPI7GgolXCWZunkouy0LSrw==
------END CERTIFICATE-----

data/gems/scheduler/ext/itsi_server/src/server/itsi_ca/itsi_ca.key

@@ -1,5 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgC7WOxDmO7pBvDvYn
-YI8+z2/2c0ChxBsuJkQq/dXi1RyhRANCAASoZ0L1WLWvsBG+pKQ9eQCCJXmCfYwx
-N4Rp9qCtZPsbWidKH8b5Cy3GXrWR8U0s5OLLo1KAC0ob6B+94JOjQ9zP
------END PRIVATE KEY-----

data/gems/server/ext/itsi_server/src/server/itsi_ca/itsi_ca.crt

@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB9TCCAZugAwIBAgIUMpQtAScU2Ow9c1Xy/0b/kS/BuwcwCgYIKoZIzj0EAwIw
-UDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kxDTALBgNVBAcMBEl0c2kxEDAO
-BgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2kuZnlpMB4XDTI1MDMwMzIwMjg1
-N1oXDTM1MDMwMTIwMjg1N1owUDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kx
-DTALBgNVBAcMBEl0c2kxEDAOBgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2ku
-ZnlpMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqGdC9Vi1r7ARvqSkPXkAgiV5
-gn2MMTeEafagrWT7G1onSh/G+Qstxl61kfFNLOTiy6NSgAtKG+gfveCTo0Pcz6NT
-MFEwHQYDVR0OBBYEFN7zzDodmiK2VAzLDydDvb6Er+U+MB8GA1UdIwQYMBaAFN7z
-zDodmiK2VAzLDydDvb6Er+U+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwID
-SAAwRQIhAP8q3PiwqTwCbRvYvvetxH39mAce1mfQMosb33ns228VAiBXdb+p9s0o
-5ug5g9/MTvrIPI7GgolXCWZunkouy0LSrw==
------END CERTIFICATE-----

data/gems/server/ext/itsi_server/src/server/itsi_ca/itsi_ca.key

@@ -1,5 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgC7WOxDmO7pBvDvYn
-YI8+z2/2c0ChxBsuJkQq/dXi1RyhRANCAASoZ0L1WLWvsBG+pKQ9eQCCJXmCfYwx
-N4Rp9qCtZPsbWidKH8b5Cy3GXrWR8U0s5OLLo1KAC0ob6B+94JOjQ9zP
------END PRIVATE KEY-----