itsi 0.2.27.rc1 → 0.2.27

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ea9fdbfbdd35894f2c5977d2624a4b90cb9467b3133d055d5ae87d1b267d5ff
-  data.tar.gz: ad82474c56c170163d2fcc7e75c6e2351fbc61348e3fd8e60697acda4ffbe65a
+  metadata.gz: 96078f9c8cc05b5683900c02d3a662a7d0b2253ed2292f8aafcda8915bb823ae
+  data.tar.gz: 860a06e7fbb91b0d5f38a4cf8d18165e0ae4194fa159bfa551a203ab40cc8a76
 SHA512:
-  metadata.gz: 47615c9e033b2119fe5a1c5780ed9acb4731500667fdc42f75df7a9768f0f4feda2d6e80f04ff85a1a938e8832934704b20d81cea48b7d96a87406bae22511e4
-  data.tar.gz: 33ccb5b47c880ab500dc0551fbb853a8e19a5afd95cd3c8a5e4fc64b3895a602a68e8aaaeaa3b1133ad4bf56e968a4821efc71798b2c46b8d62705a790de78cd
+  metadata.gz: 72598619d4fea4bcb177dcb4cb16ec04a31388d066e33cf61fefcb1cdeccd0efde3ef97bd23392065d59ff30912f551c015fb70da67560c6a5ed073c549ca6d8
+  data.tar.gz: 42b120ce03f36f81d89814243ccfe6cd634a1202df6563d9da2a87529548a191e03156144267ddd9e0aba25f17918db936f5a7dd9d8e03e60a602c78d8aea103

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## [0.2.27] - 2026-06-18
+- Add `HTTP-01` ACME validation support alongside `TLS-ALPN-01`, including fallback-friendly deployments behind proxies and CDNs when an HTTP listener is reachable.
+- Add runtime TLS domain registration APIs so Ruby code can enroll and remove ACME-managed domains without restarting Itsi.
+- Expand ACME coverage with Pebble-backed end-to-end tests for direct issuance, HTTP fallback, and dynamic runtime issuance flows.
+- Tighten scheduler compatibility around real Ruby fiber-scheduler hooks including DNS resolution, sleeps/timeouts, nested scheduling, and process waiting.
+- Refresh release documentation for native gem packaging, ACME behavior, and local ACME testing.
+
 ## [0.2.26] - 2026-05-13
 - Restore synchronized release source after the unsynchronized `0.2.24` / `0.2.25` pushes.
 - Restore the multi-platform native gem packaging workflow so the next release can ship prebuilt binaries again.

data/README.md

@@ -29,12 +29,15 @@ Make sure you have Ruby installed! If not, look here:
 ### 2. Itsi
 
 > On Linux?
-You'll need at least `build-essential` and `libclang-dev` installed to build Itsi on Linux.
+You'll need at least `build-essential` and `libclang-dev` installed to build Itsi on Linux if RubyGems falls back to a source build.
   E.g.
   ```bash
   apt-get install build-essential libclang-dev
   ```
 
+> Precompiled native gems are published for common macOS and Linux targets on x86_64 and ARM64.
+> On those platforms most installs can skip the local Rust toolchain entirely, while source gems remain available as a fallback.
+
 Then, install Itsi using `gem`:
   ```bash
   gem install itsi

data/crates/itsi_scheduler/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "itsi-scheduler"
-version = "0.2.27-rc1"
+version = "0.2.27"
 edition = "2021"
 authors = ["Wouter Coppieters <wc@pico.net.nz>"]
 license = "MIT"

data/crates/itsi_server/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "itsi-server"
-version = "0.2.27-rc1"
+version = "0.2.27"
 edition = "2021"
 authors = ["Wouter Coppieters <wc@pico.net.nz>"]
 license = "MIT"

data/crates/itsi_server/src/ruby_types/itsi_grpc_call.rs

@@ -11,7 +11,6 @@ use http::{request::Parts, Response, StatusCode};
 use http_body_util::BodyExt;
 use itsi_error::CLIENT_CONNECTION_CLOSED;
 use itsi_rb_helpers::{print_rb_backtrace, HeapValue};
-use itsi_tracing::debug;
 use magnus::{
     block::Proc,
     error::{ErrorType, Result as MagnusResult},

data/crates/itsi_server/src/ruby_types/itsi_http_response.rs

@@ -72,6 +72,17 @@ pub enum ResponseFrame {
 }
 
 impl ItsiHttpResponse {
+    fn is_expected_bridge_shutdown(err: &io::Error) -> bool {
+        matches!(
+            err.kind(),
+            io::ErrorKind::BrokenPipe
+                | io::ErrorKind::ConnectionAborted
+                | io::ErrorKind::ConnectionReset
+                | io::ErrorKind::NotConnected
+                | io::ErrorKind::UnexpectedEof
+        )
+    }
+
     pub fn new(
         parts: Arc<Parts>,
         response_sender: OneshotSender<ResponseFrame>,
@@ -98,13 +109,17 @@ impl ItsiHttpResponse {
         let (mut cr, mut cw) = tokio::io::split(client_io);
 
         let to_ruby = tokio::spawn(async move {
-            if let Err(e) = tokio::io::copy(&mut cr, &mut lw).await {
-                eprintln!("Error copying upgraded->local: {:?}", e);
+            if let Err(err) = tokio::io::copy(&mut cr, &mut lw).await {
+                if !Self::is_expected_bridge_shutdown(&err) {
+                    eprintln!("Error copying upgraded->local: {:?}", err);
+                }
             }
         });
         let from_ruby = tokio::spawn(async move {
-            if let Err(e) = tokio::io::copy(&mut lr, &mut cw).await {
-                eprintln!("Error copying upgraded->local: {:?}", e);
+            if let Err(err) = tokio::io::copy(&mut lr, &mut cw).await {
+                if !Self::is_expected_bridge_shutdown(&err) {
+                    eprintln!("Error copying local->upgraded: {:?}", err);
+                }
             }
         });
 

data/crates/itsi_server/src/server/signal.rs

@@ -63,7 +63,7 @@ pub fn send_lifecycle_event(event: LifecycleEvent) {
     }
 }
 
-fn receive_signal(signum: i32, _: sighandler_t) {
+extern "C" fn receive_signal(signum: i32) {
     debug!("Received signal: {}", signum);
     SIGINT_COUNT.fetch_add(-1, Ordering::SeqCst);
     let event = match signum {
@@ -96,20 +96,25 @@ fn receive_signal(signum: i32, _: sighandler_t) {
     }
 }
 
+fn signal_handler() -> sighandler_t {
+    receive_signal as *const () as sighandler_t
+}
+
 pub fn reset_signal_handlers() -> bool {
     debug!("Resetting signal handlers");
     SIGINT_COUNT.store(0, Ordering::SeqCst);
     SHUTDOWN_REQUESTED.store(false, Ordering::SeqCst);
 
     unsafe {
-        libc::signal(libc::SIGTERM, receive_signal as usize);
-        libc::signal(libc::SIGINT, receive_signal as usize);
-        libc::signal(libc::SIGUSR2, receive_signal as usize);
-        libc::signal(libc::SIGUSR1, receive_signal as usize);
-        libc::signal(libc::SIGHUP, receive_signal as usize);
-        libc::signal(libc::SIGTTIN, receive_signal as usize);
-        libc::signal(libc::SIGTTOU, receive_signal as usize);
-        libc::signal(libc::SIGCHLD, receive_signal as usize);
+        let handler = signal_handler();
+        libc::signal(libc::SIGTERM, handler);
+        libc::signal(libc::SIGINT, handler);
+        libc::signal(libc::SIGUSR2, handler);
+        libc::signal(libc::SIGUSR1, handler);
+        libc::signal(libc::SIGHUP, handler);
+        libc::signal(libc::SIGTTIN, handler);
+        libc::signal(libc::SIGTTOU, handler);
+        libc::signal(libc::SIGCHLD, handler);
     }
     true
 }

data/docs/content/features/_index.md

@@ -145,6 +145,8 @@ Itsi also comes bundled with a passfile generator, to help you manage your passw
 * Automated provisioning of Let's Encrypt certificates.
 * File system caching of certificate data to avoid excessive API calls.
 * Supports usage of subject alternative names (SANs) for certificates that span multiple domains/sub-domains.
+* Supports direct `TLS-ALPN-01` validation and `HTTP-01` validation when a reachable HTTP listener is available.
+* Supports runtime domain registration for live certificate issuance without restarting the server.
 * See <a target="_blank" href="/options/certificates#production-certificates-lets-encrypt">certificates</a>.
 {{% /details %}}
 
@@ -225,6 +227,7 @@ Note: This is not the same as <a target="_blank" href="https://grpc.io/blog/grpc
 {{% details title="Non-blocking(Fiber Scheduler) Mode" closed="true" %}}
 * Support for Ruby’s fiber scheduler for non-blocking concurrency, boosting performance during I/O operations.
 * Use Itsi's own high-performance built-in <a target="_blank" href="/itsi_scheduler">Fiber Scheduler</a> or if your prefer you can bring your own!
+* Current native gems are built and tested across common Linux and macOS x86_64 and ARM64 targets.
 * See <a target="_blank" href="/options/fiber_scheduler">fiber_scheduler</a>.
 {{% /details %}}
 

data/docs/content/getting_started/_index.md

@@ -20,7 +20,8 @@ Install Ruby
   **Prerequisites**
 
 
-You'll need at least a C/C++ build environment and `clang` and `curl` (for running `rustup`) installed.
+Most Linux installs on common x86_64 and ARM64 targets can use the precompiled native gems directly.
+If RubyGems falls back to the source gems, you'll need a C/C++ build environment plus `clang` and `curl` (for running `rustup`).
 
 #### For Ubuntu / Debian:
 ```bash
@@ -63,6 +64,9 @@ Then use `gem` to install Itsi, or its components based on your Ruby version.
   {{< /tab >}}
   {{< tab >}}
   **Mac**:
+  Most macOS installs on Apple Silicon and Intel Macs can use the precompiled native gems directly.
+  If RubyGems falls back to the source gems, install Xcode Command Line Tools first.
+
   **For Ruby >= 3.0**:
 ```bash
     gem install itsi
@@ -88,7 +92,7 @@ Then use `gem` to install Itsi, or its components based on your Ruby version.
   {{< tab >}}
   **FreeBSD**
 
-On FreeBSD you'll need to install a few build tools manually:
+FreeBSD currently relies on source builds, so you'll need to install a few build tools manually:
 ```bash
   pkg install gmake cmake curl llvm
 ```

data/docs/content/getting_started/local_development.md

@@ -75,6 +75,19 @@ Itsi will print informative error message if config validation fails. E.g.
      |   ^^^
 ```
 
+## Local ACME Testing
+Itsi includes end-to-end ACME tests that exercise both `TLS-ALPN-01` and `HTTP-01` flows against a local [Pebble](https://github.com/letsencrypt/pebble) certificate authority.
+
+The test helper installs Pebble on demand using the Go toolchain, so the only prerequisite is a working `go` binary on your `PATH`.
+
+Once Go is available, the local ACME tests can be run as part of the normal server suite:
+
+```bash
+rake server:test
+```
+
+If Go is not installed, those specific ACME integration tests will be skipped rather than failing the whole suite.
+
 ## Shell Completions
 Itsi can also help you install shell completions, which are useful if you find yourself using the `itsi` executable a lot and forgetting the commands.
 Add the following line to the bottom of your ~/.bashrc or ~/.zshrc file:

data/docs/content/itsi_scheduler/_index.md

@@ -16,6 +16,9 @@ When combined with Itsi Server, you can write endpoints that look just like regu
 If you're purely after a lightweight, yet efficient Ruby scheduler,
 you can use Itsi Scheduler as a standalone scheduler for any Ruby application.
 
+The current release line is packaged as precompiled native gems for common macOS and Linux x86_64 and ARM64 targets, with source builds still available as a fallback.
+Recent scheduler work has also tightened compatibility around the Ruby scheduler hooks that matter in practice: network I/O, DNS resolution, sleep/timeouts, nested scheduling, and process waiting.
+
 Just use `Fiber.set_scheduler` to set an instance `Itsi::Scheduler` as a scheduler to opt in to this IO weaving behavior
 *automatically* for all blocking IO.
 

data/gems/scheduler/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    itsi-scheduler (0.2.27.rc1)
+    itsi-scheduler (0.2.27)
       rb_sys (~> 0.9.91)
 
 GEM
@@ -86,7 +86,7 @@ CHECKSUMS
   connection_pool (3.0.2) sha256=33fff5ba71a12d2aa26cb72b1db8bba2a1a01823559fb01d29eb74c286e62e0a
   drb (2.2.3) sha256=0b00d6fdb50995fe4a45dea13663493c841112e4068656854646f418fda13373
   i18n (1.14.8) sha256=285778639134865c5e0f6269e0b818256017e8cde89993fdfcbfb64d088824a5
-  itsi-scheduler (0.2.27.rc1)
+  itsi-scheduler (0.2.27)
   json (2.19.4) sha256=670a7d333fb3b18ca5b29cb255eb7bef099e40d88c02c80bd42a3f30fe5239ac
   logger (1.7.0) sha256=196edec7cc44b66cfb40f9755ce11b392f21f7967696af15d274dde7edff0203
   minitest (5.27.0) sha256=2d3b17f8a36fe7801c1adcffdbc38233b938eb0b4966e97a6739055a45fa77d5

data/gems/scheduler/lib/itsi/scheduler/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Scheduler
-    VERSION = "0.2.27.rc1"
+    VERSION = "0.2.27"
   end
 end

data/gems/server/Gemfile

@@ -19,6 +19,7 @@ group :server_test do
 end
 
 group :server_test_support do
+  gem "async-websocket"
   gem "jwt"
   gem "net_http_unix"
   gem "redis"

data/gems/server/Gemfile.lock

@@ -1,13 +1,13 @@
 PATH
   remote: ../scheduler
   specs:
-    itsi-scheduler (0.2.27.rc1)
+    itsi-scheduler (0.2.27)
       rb_sys (~> 0.9.91)
 
 PATH
   remote: .
   specs:
-    itsi-server (0.2.27.rc1)
+    itsi-server (0.2.27)
       json (~> 2)
       prism (~> 1.4)
       rack (>= 1.6)
@@ -17,10 +17,42 @@ GEM
   remote: https://rubygems.org/
   specs:
     ansi (1.6.0)
+    async (2.39.0)
+      console (~> 1.29)
+      fiber-annotation
+      io-event (~> 1.11)
+      metrics (~> 0.12)
+      traces (~> 0.18)
+    async-http (0.95.1)
+      async (>= 2.10.2)
+      async-pool (~> 0.11)
+      io-endpoint (~> 0.14)
+      io-stream (~> 0.6)
+      metrics (~> 0.12)
+      protocol-http (~> 0.62)
+      protocol-http1 (~> 0.39)
+      protocol-http2 (~> 0.26)
+      protocol-url (~> 0.2)
+      traces (~> 0.10)
+    async-pool (0.11.2)
+      async (>= 2.0)
+    async-websocket (0.30.1)
+      async-http (~> 0.76)
+      protocol-http (~> 0.34)
+      protocol-rack (~> 0.7)
+      protocol-websocket (~> 0.17)
     base64 (0.3.0)
     bigdecimal (4.1.2)
     builder (3.3.0)
     connection_pool (3.0.2)
+    console (1.36.0)
+      fiber-annotation
+      fiber-local (~> 1.1)
+      json
+    fiber-annotation (0.2.0)
+    fiber-local (1.1.0)
+      fiber-storage
+    fiber-storage (1.0.1)
     google-protobuf (4.30.2)
       bigdecimal
       rake (>= 13)
@@ -29,11 +61,15 @@ GEM
     grpc (1.78.0)
       google-protobuf (>= 3.25, < 5.0)
       googleapis-common-protos-types (~> 1.0)
+    io-endpoint (0.17.2)
+    io-event (1.16.2)
+    io-stream (0.13.1)
     json (2.19.4)
     jwt (3.1.2)
       base64
     language_server-protocol (3.17.0.5)
     logger (1.7.0)
+    metrics (0.15.0)
     minitest (5.27.0)
     minitest-reporters (1.8.0)
       ansi
@@ -42,6 +78,20 @@ GEM
       ruby-progressbar
     net_http_unix (0.2.2)
     prism (1.9.0)
+    protocol-hpack (1.5.1)
+    protocol-http (0.62.2)
+    protocol-http1 (0.39.0)
+      protocol-http (~> 0.62)
+    protocol-http2 (0.26.0)
+      protocol-hpack (~> 1.4)
+      protocol-http (~> 0.62)
+    protocol-rack (0.22.1)
+      io-stream (>= 0.10)
+      protocol-http (~> 0.58)
+      rack (>= 1.0)
+    protocol-url (0.4.0)
+    protocol-websocket (0.21.1)
+      protocol-http (~> 0.2)
     rack (3.2.6)
     rackup (2.3.1)
       rack (>= 3)
@@ -64,6 +114,7 @@ GEM
       prism (>= 1.2, < 2.0)
       rbs (>= 3, < 5)
     ruby-progressbar (1.13.0)
+    traces (0.18.2)
     tsort (0.2.0)
 
 PLATFORMS
@@ -71,6 +122,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  async-websocket
   bundler
   grpc
   itsi-scheduler!
@@ -89,23 +141,42 @@ DEPENDENCIES
 
 CHECKSUMS
   ansi (1.6.0) sha256=ac9ea0c0ea8d32fb4e271348e609963ac78882f34b73836c2a02b3622e666658
+  async (2.39.0) sha256=df18730073f2bbb45788077dfa20cb365ecc1b9453969f44de6796b5191a00aa
+  async-http (0.95.1) sha256=0c3dd458c204c06d5c4b20b01bbec4794a1203db627fb2ce536e1799ec14786c
+  async-pool (0.11.2) sha256=0a43a17b02b04d9c451b7d12fafa9a50e55dc6dd00d4369aca00433f16a7e3ed
+  async-websocket (0.30.1) sha256=54bb8a8f184e4aa64434c7a78ecc55850a67a3d1dcd02e3ae787376e2c673936
   base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
   bigdecimal (4.1.2) sha256=53d217666027eab4280346fba98e7d5b66baaae1b9c3c1c0ffe89d48188a3fbd
   builder (3.3.0) sha256=497918d2f9dca528fdca4b88d84e4ef4387256d984b8154e9d5d3fe5a9c8835f
   connection_pool (3.0.2) sha256=33fff5ba71a12d2aa26cb72b1db8bba2a1a01823559fb01d29eb74c286e62e0a
+  console (1.36.0) sha256=45599ea906cf80a73d8941f03abf873fe66a6a954e0bac5bc1c01e2cdc406f07
+  fiber-annotation (0.2.0) sha256=7abfadf1d119f508867d4103bf231c0354d019cc39a5738945dec2edadaf6c03
+  fiber-local (1.1.0) sha256=c885f94f210fb9b05737de65d511136ea602e00c5105953748aa0f8793489f06
+  fiber-storage (1.0.1) sha256=f48e5b6d8b0be96dac486332b55cee82240057065dc761c1ea692b2e719240e1
   google-protobuf (4.30.2) sha256=0f35168dbeeccf13d928acf6c128cfec17b9a826ae4505246a02c115f4ae16ed
   googleapis-common-protos-types (1.19.0) sha256=aecb76ca5326f8bcc47ab083259bbc4971d07e87f56808af7e210669d9765694
   grpc (1.78.0) sha256=7aaf47b6d7783fb0e7d40fc853d34e802d47aef7b1312862b6e719141b3527c9
-  itsi-scheduler (0.2.27.rc1)
-  itsi-server (0.2.27.rc1)
+  io-endpoint (0.17.2) sha256=3feaf766c116b35839c11fac68b6aaadc47887bb488902a57bf8e1d288fb3338
+  io-event (1.16.2) sha256=9f9cb0a96ea5c3850a672606c65f27bc96d7621399ef6196acbfe2be0cd1279c
+  io-stream (0.13.1) sha256=570d7c4dfb0fbd767480b4a222048a2be6d9b78febc1ec68258d0e0a4cde20de
+  itsi-scheduler (0.2.27)
+  itsi-server (0.2.27)
   json (2.19.4) sha256=670a7d333fb3b18ca5b29cb255eb7bef099e40d88c02c80bd42a3f30fe5239ac
   jwt (3.1.2) sha256=af6991f19a6bb4060d618d9add7a66f0eeb005ac0bc017cd01f63b42e122d535
   language_server-protocol (3.17.0.5) sha256=fd1e39a51a28bf3eec959379985a72e296e9f9acfce46f6a79d31ca8760803cc
   logger (1.7.0) sha256=196edec7cc44b66cfb40f9755ce11b392f21f7967696af15d274dde7edff0203
+  metrics (0.15.0) sha256=61ded5bac95118e995b1bc9ed4a5f19bc9814928a312a85b200abbdac9039072
   minitest (5.27.0) sha256=2d3b17f8a36fe7801c1adcffdbc38233b938eb0b4966e97a6739055a45fa77d5
   minitest-reporters (1.8.0) sha256=8ce5280fb73ad3178ae525454df169b6f28c1b38b1d088ea91815d3a370ba384
   net_http_unix (0.2.2) sha256=98aa0e1e7787f8383e8dd8ff60fc18062c2ddb2aadbc76e92cfb4f95d2c9d71d
   prism (1.9.0) sha256=7b530c6a9f92c24300014919c9dcbc055bf4cdf51ec30aed099b06cd6674ef85
+  protocol-hpack (1.5.1) sha256=6feca238b8078da1cd295677d6f306c6001af92d75fe0643d33e6956cbc3ad91
+  protocol-http (0.62.2) sha256=e1c1f2f56029c1af8c4e2b8a67d0d096c76620f3afd8d99d1dcd2f6b8ffa773b
+  protocol-http1 (0.39.0) sha256=e49b3f4cda6f5d94c76a323d2b7f6977cba3ebd082d2da437039594da77ad8eb
+  protocol-http2 (0.26.0) sha256=bac89cd78082b241ccd0cf7246f5160e4bb0c9c975fb4bf7deef5f88cc317486
+  protocol-rack (0.22.1) sha256=1185d245927ef9849a603700d6991ca353bc89724fbf98efa4a4333ed62a9fc3
+  protocol-url (0.4.0) sha256=64d4c03b6b51ad815ac6fdaf77a1d91e5baf9220d26becb846c5459dacdea9e1
+  protocol-websocket (0.21.1) sha256=34325e4325697f0956877e67784bcc838cfd51ebbf4f8e9e5201be292041ee61
   rack (3.2.6) sha256=5ed78e1f73b2e25679bec7d45ee2d4483cc4146eb1be0264fc4d94cb5ef212c2
   rackup (2.3.1) sha256=6c79c26753778e90983761d677a48937ee3192b3ffef6bc963c0950f94688868
   rake (13.3.1) sha256=8c9e89d09f66a26a01264e7e3480ec0607f0c497a861ef16063604b1b08eb19c
@@ -117,7 +188,8 @@ CHECKSUMS
   redis-client (0.24.0) sha256=ee65ee39cb2c38608b734566167fd912384f3c1241f59075e22858f23a085dbb
   ruby-lsp (0.26.7) sha256=60a1199fc7e329348d63a2479854f94435725d833eeabf3d539b790185cbf21f
   ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
+  traces (0.18.2) sha256=80f1649cb4daace1d7174b81f3b3b7427af0b93047759ba349960cb8f315e214
   tsort (0.2.0) sha256=9650a793f6859a43b6641671278f79cfead60ac714148aabe4e3f0060480089f
 
 BUNDLED WITH
-  2.6.9
+   2.6.9

data/gems/server/lib/itsi/server/config/options/certificates.md

@@ -54,12 +54,40 @@ Let's Encrypt enforces strict rate limits on production certificate generation.
 {{< /callout >}}
 
 
-{{< callout type="warn" >}}
-Currently only the TLS-ALPN-01 challenge type is supported for automated certificates.
-The HTTP-01 challenge is not *yet* supported. This means that, for e.g. if your server is sitting behind a CDN or reverse proxy that performs HTTPS termination, you will not be able to rely on the *automated* certificate generation for fully automated, verified e2e encryption.
-
-Instead you may wish to use:
-* [Self-signed](#development--self-signed) certificates
-* [Manually](#existing-certificates) install certificates
-* Use HTTP between the CDN and the server
-{{< /callout >}}
+Itsi supports both ACME challenge types that matter for common deployments:
+
+* `TLS-ALPN-01` is used when the certificate authority can reach Itsi directly on the HTTPS listener.
+* `HTTP-01` can be used when you also expose a reachable HTTP listener for the same hostname. In real Let's Encrypt deployments this typically means port `80` must reach Itsi for `/.well-known/acme-challenge/*`.
+
+This means setups behind a CDN, WAF, or TLS-terminating proxy can still use automated certificates, provided plain HTTP validation traffic is forwarded to Itsi.
+
+E.g. a production configuration that allows HTTP-01 fallback might look like this:
+
+```ruby {filename=Itsi.rb}
+bind "http://0.0.0.0:80"
+bind "https://0.0.0.0:443?cert=acme&domains=example.com&acme_email=you@example.com"
+```
+
+## Dynamic Domain Registration
+You can add or remove ACME-managed domains while Itsi is already running.
+
+This is useful when hostnames are discovered dynamically by your Ruby application, or when you want to defer certificate issuance until a tenant, customer, or site is activated.
+
+Runtime APIs:
+
+* `Itsi::Server.tls_bindings`
+* `Itsi::Server.tls_domains(listener_id = nil)`
+* `Itsi::Server.tls_domain_statuses(listener_id = nil)`
+* `Itsi::Server.register_tls_domain(domain, listener_id = nil)`
+* `Itsi::Server.unregister_tls_domain(domain, listener_id = nil)`
+
+Example:
+
+```ruby
+Itsi::Server.register_tls_domain("customer-a.example.com")
+
+status = Itsi::Server.tls_domain_statuses.find { |entry| entry["domain"] == "customer-a.example.com" }
+puts status
+```
+
+When using dynamic issuance with HTTP-01, the same requirement still applies: the domain being issued must be able to reach an Itsi-managed HTTP listener for the ACME challenge path.

data/gems/server/lib/itsi/server/config/options/fiber_scheduler.md

@@ -7,6 +7,8 @@ This allows Itsi to process a very large number of IO heavy requests concurrentl
 
 Enabling Fiber Scheduler mode can drastically improve application performance if you perform large amounts of blocking IO operations.
 
+Itsi's bundled scheduler is intended to be practical for real Ruby applications, not just toy socket examples. It integrates with the scheduler hooks used by modern Rubies for socket I/O, DNS lookups, sleeps and timeouts, and process waiting.
+
 
 ## Configuration File
 ```ruby {filename="Itsi.rb"}

data/gems/server/lib/itsi/server/default_config/Itsi.rb

@@ -37,6 +37,10 @@ fiber_scheduler nil
 # bind "https://itsi.fyi?cert=acme&acme_email=admin@itsi.fyi"
 # You can generate certificates for multiple domains at once, by passing a comma-separated list of domains
 # bind "https://0.0.0.0?domains=foo.itsi.fyi,bar.itsi.fyi&cert=acme&acme_email=admin@itsi.fyi"
+# If HTTPS on 443 is not directly reachable, you can also expose an HTTP listener and
+# Let's Encrypt will be able to validate using HTTP-01 instead.
+# bind "http://0.0.0.0:80"
+# bind "https://0.0.0.0:443?domains=foo.itsi.fyi&cert=acme&acme_email=admin@itsi.fyi"
 #
 # If you already have a certificate you can specify it using the cert and key parameters
 # bind "https://itsi.fyi?cert=/path/to/cert.pem&key=/path/to/key.pem"

data/gems/server/lib/itsi/server/rack_interface.rb

@@ -103,7 +103,8 @@ module Itsi
         elsif body_streamer
           # If we're partially hijacked or returned a streaming body,
           # stream this response.
-          body_streamer.call(response)
+          stream = status == 101 ? request.partial_hijack : response
+          body_streamer.call(stream)
 
         elsif body.is_a?(Array)
           if body.length == 1

data/gems/server/lib/itsi/server/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Server
-    VERSION = "0.2.27.rc1"
+    VERSION = "0.2.27"
   end
 end

data/gems/server/test/rack/test_rack_server.rb

@@ -1,4 +1,7 @@
 require_relative "../helpers/test_helper"
+require "async/websocket/adapters/rack"
+require "protocol/websocket/connection"
+require "base64"
 
 class TestRackServer < Minitest::Test
   def test_that_it_has_a_version_number
@@ -145,6 +148,36 @@ class TestRackServer < Minitest::Test
     assert_operator read_arity, :!=, 0
   end
 
+  def test_async_websocket_rack_adapter_can_upgrade_and_echo_messages
+    callback_error = Queue.new
+
+    server(app_with_lint: lambda do |env|
+      Async::WebSocket::Adapters::Rack.open(env) do |connection|
+        begin
+          message = connection.read
+          connection.write(message)
+          connection.flush
+        rescue => e
+          callback_error << e
+        end
+      end || [200, { "content-type" => "text/plain" }, ["ok"]]
+    end) do |uri|
+      socket = websocket_upgrade_socket(uri)
+      connection = websocket_client_connection(socket)
+
+      connection.write("hello")
+      connection.flush
+
+      message = connection.read
+      assert_equal "hello", message.to_str
+    ensure
+      connection&.close rescue nil
+      socket&.close
+    end
+
+    raise callback_error.pop unless callback_error.empty?
+  end
+
   def test_enumerable_body
     server(app_with_lint: lambda do |env|
       [200, { "content-type" => "application/json" },
@@ -503,4 +536,36 @@ class TestRackServer < Minitest::Test
       assert_equal %w[a=b c=d], resp.get_fields("set-cookie")
     end
   end
+
+  private
+
+  def websocket_upgrade_socket(uri)
+    socket = TCPSocket.new(uri.host, uri.port)
+    socket.write(
+      "GET / HTTP/1.1\r\n" \
+      "Host: #{uri.host}:#{uri.port}\r\n" \
+      "Connection: Upgrade\r\n" \
+      "Upgrade: websocket\r\n" \
+      "Sec-WebSocket-Version: 13\r\n" \
+      "Sec-WebSocket-Key: #{Base64.strict_encode64(SecureRandom.random_bytes(16))}\r\n" \
+      "\r\n"
+    )
+    socket.flush
+
+    response = +""
+    until response.include?("\r\n\r\n")
+      chunk = socket.read(1)
+      raise EOFError, "Unexpected EOF during websocket handshake" unless chunk
+
+      response << chunk
+    end
+
+    assert_includes response, "101"
+    socket
+  end
+
+  def websocket_client_connection(socket)
+    framer = Protocol::WebSocket::Framer.new(socket)
+    Protocol::WebSocket::Connection.new(framer, mask: "\x01\x02\x03\x04")
+  end
 end

data/lib/itsi/version.rb

@@ -1,3 +1,3 @@
 module Itsi
-  VERSION = "0.2.27.rc1"
+  VERSION = "0.2.27"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: itsi
 version: !ruby/object:Gem::Version
-  version: 0.2.27.rc1
+  version: 0.2.27
 platform: ruby
 authors:
 - Wouter Coppieters
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.27.rc1
+        version: 0.2.27
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.27.rc1
+        version: 0.2.27
 - !ruby/object:Gem::Dependency
   name: itsi-server
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.27.rc1
+        version: 0.2.27
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.27.rc1
+        version: 0.2.27
 description: Wrapper Gem for both the Itsi server and the Itsi Fiber scheduler
 email:
 - wc@pico.net.nz