TLS certificate management using the ACME (RFC 8555) protocol, using the TLS-ALPN-01 (RFC 8737) challenge.
Even though this should work with any ACME server, the emphasis is to have it work with the Boulder implementation from Let's Encrypt, which can diverge slightly from the specs.
The TLS-ALPN-01 challenge is validated by providing a self-signed certificate during the TLS handshake. The certificate must have an id-pe-acmeIdentifier
extension (id 31) that includes the authorization key.
This means that the library needs to interact with the server TLS acceptor.