Dstack-TEE · h4x3rotab · Dec 25, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/ct_monitor/Cargo.toml b/ct_monitor/Cargo.toml
@@ -12,6 +12,7 @@ license.workspace = true
 [dependencies]
 anyhow.workspace = true
 clap = { workspace = true, features = ["derive"] }
+hex = { workspace = true, features = ["alloc", "std"] }
 hex_fmt.workspace = true
 regex.workspace = true
 reqwest = { workspace = true, default-features = false, features = ["json", "rustls-tls", "charset", "hickory-dns"] }
@@ -21,6 +22,3 @@ tokio = { workspace = true, features = ["full"] }
 tracing.workspace = true
 tracing-subscriber.workspace = true
 x509-parser.workspace = true
-
-dstack-gateway-rpc.workspace = true
-ra-rpc = { workspace = true, default-features = false, features = ["client"] }
diff --git a/ct_monitor/src/main.rs b/ct_monitor/src/main.rs
@@ -4,8 +4,6 @@
 
 use anyhow::{bail, Context, Result};
 use clap::Parser;
-use dstack_gateway_rpc::gateway_client::GatewayClient;
-use ra_rpc::client::RaClient;
 use regex::Regex;
 use serde::{Deserialize, Serialize};
 use std::collections::BTreeSet;
@@ -15,6 +13,13 @@
 
 const BASE_URL: &str = "https://crt.sh";
 
+#[derive(Debug, Deserialize)]
+struct AcmeInfoResponse {
+    #[allow(dead_code)]
+    account_uri: String,
+    hist_keys: Vec<String>,
+}
+
 struct Monitor {
     gateway_uri: String,
     domain: String,
@@ -48,12 +53,38 @@
     }
 
     async fn refresh_known_keys(&mut self) -> Result<()> {
-        info!("fetching known public keys from {}", self.gateway_uri);
-        // TODO: Use RA-TLS
-        let tls_no_check = true;
-        let rpc = GatewayClient::new(RaClient::new(self.gateway_uri.clone(), tls_no_check)?);
-        let info = rpc.acme_info().await?;
-        self.known_keys = info.hist_keys.into_iter().collect();
+        let acme_info_url = format!("{}/acme-info", self.gateway_uri.trim_end_matches('/'));
+        info!("fetching known public keys from {}", acme_info_url);
+
+        let client = reqwest::Client::builder()
+            .danger_accept_invalid_certs(true) // TODO: Use RA-TLS verification
@@ -57,7 +57,7 @@
        info!("fetching known public keys from {}", acme_info_url);
        let client = reqwest::Client::builder()
-            .danger_accept_invalid_certs(true) // TODO: Use RA-TLS verification
+            .danger_accept_invalid_certs(false) // TODO: Use RA-TLS verification
            .build()
            .context("failed to build http client")?;
@@ -57,7 +57,7 @@
        info!("fetching known public keys from {}", acme_info_url);

        let client = reqwest::Client::builder()
-            .danger_accept_invalid_certs(true) // TODO: Use RA-TLS verification
+            .danger_accept_invalid_certs(false) // TODO: Use RA-TLS verification
            .build()
            .context("failed to build http client")?;

+            .build()
+            .context("failed to build http client")?;
+
+        let response = client
+            .get(&acme_info_url)
+            .send()
+            .await
+            .context("failed to fetch acme-info")?;
+
+        if !response.status().is_success() {
+            bail!(
+                "failed to fetch acme-info: HTTP {}",
+                response.status().as_u16()
+            );
+        }
+
+        let info: AcmeInfoResponse = response
+            .json()
+            .await
+            .context("failed to parse acme-info response")?;
+
+        self.known_keys = info
+            .hist_keys
+            .into_iter()
+            .map(|hex_key| hex::decode(&hex_key).context("invalid hex in hist_keys"))
+            .collect::<Result<BTreeSet<_>>>()?;
+
         info!("got {} known public keys", self.known_keys.len());
         for key in self.known_keys.iter() {
             debug!("    {}", hex_fmt::HexFmt(key));