Setting up Dehydrated

dehydrated | dehydrated-dns | dehydrated-http | dehydrated-reload

install

debian/ubuntu

apt install dehydrated
#dehydrated-apache2

rmdir /etc/dehydrated/conf.d/

freebsd

pkg install dehydrated
ln -s /usr/local/etc/dehydrated /etc/dehydrated
ln -s /usr/local/www/dehydrated /var/lib/dehydrated
echo weekly_dehydrated_enable=yes >> /etc/periodic.conf
#echo daily_dehydrated_enable=yes >> /etc/rc.conf

from source

# no exist
ls -lhF /usr/local/bin/dehydrated

git clone https://github.com/lukas2511/dehydrated.git
cp -f dehydrated/dehydrated /usr/local/bin/

dehydrated -h

mkdir /etc/dehydrated/

shared

eventually a symlink to reach the certs easily

# no exist
ls -lF /etc/dehydrated/certs
ln -s /var/lib/dehydrated/certs /etc/dehydrated/certs

HTTP-01 challenge

see dehydrated-http

DNS-01 challenage

see dehydrated-dns

ready to go

you are now ready to use those CA-signed certs with e.g. NGINX, HAPROXY, Postfix and Dovecot.

acceptance

see sslhappy-test

more options

eventually make specific folders available for RSA and various ECC flavors

# debian
mkdir -p /var/lib/dehydrated/certs/rsa/
mkdir -p /var/lib/dehydrated/certs/prime256v1/
mkdir -p /var/lib/dehydrated/certs/secp384r1/

# rhel
mkdir -p /etc/dehydrated/certs/rsa/
mkdir -p /etc/dehydrated/certs/prime256v1/
mkdir -p /etc/dehydrated/certs/secp384r1/

more http01 options

dehydrated --cron --keep-going --algo rsa --out /var/lib/dehydrated/certs/RSA
dehydrated --cron --keep-going --algo prime256v1 --out /var/lib/dehydrated/certs/prime256v1
dehydrated --cron --keep-going --algo secp384r1 --out /var/lib/dehydrated/certs/secp384r1

more dns01 options

dehydrated --cron --keep-going --config /etc/dehydrated/config-dns01 --algo rsa --out /var/lib/dehydrated/certs/RSA
dehydrated --cron --keep-going --config /etc/dehydrated/config-dns01 --algo prime256v1 --out /var/lib/dehydrated/certs/prime256v1
dehydrated --cron --keep-going --config /etc/dehydrated/config-dns01 --algo secp384r1 --out /var/lib/dehydrated/certs/secp384r1

automation

see dehydrated-reload

additional notes

dealing with you own curve

    dehydrated --signcsr $domain.csr --full-chain > $domain.crt

resources

https://github.com/dehydrated-io/dehydrated

nginx

FW https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/

https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md

https://sysadmin.pm/dehydrated-letsencrypt/

troubles

https://github.com/lukas2511/dehydrated/issues/193

acme v2

https://github.com/dehydrated-io/dehydrated/issues/420


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT