Setting up Dehydrated

challenge types http-01 and dns-01

Introduction

we want to allow legacy/non-ECC SSL clients (e.g. slackware.com and orange.fr outbound MTAs) to connect so we’re keeping RSA as a default. However we’re also providing ECDSA as an alternative with far more ciphers to offer as a result.

Install

debian/ubuntu

apt install dehydrated
#dehydrated-apache2

freebsd

pkg install dehydrated
ln -s /usr/local/etc/dehydrated /etc/dehydrated
ln -s /usr/local/www/dehydrated /var/lib/dehydrated
echo weekly_dehydrated_enable=yes >> /etc/periodic.conf
#echo daily_dehydrated_enable=yes >> /etc/rc.conf

from source

git clone https://github.com/lukas2511/dehydrated.git

ls -lhF /usr/local/bin/dehydrated #noexist
cp dehydrated/dehydrated /usr/local/bin/
dehydrated -h

HTTP-01 challenge

cd /etc/dehydrated/
rmdir conf.d/
mv -i config config.dist
grep -vE '^#|^$' config.dist > config.clean
# new file
vi config

BASEDIR=/var/lib/dehydrated
CONTACT_EMAIL=...

IP_VERSION=4
CA="https://acme-v02.api.letsencrypt.org/directory"
CHALLENGETYPE="http-01"
DOMAINS_TXT="/etc/dehydrated/domains-http01"
WELLKNOWN="/var/www/dehydrated"
#WELLKNOWN="/var/www/html/.well-known/acme-challenge"

# those will be defined at run-time
#KEY_ALGO=prime256v1
#KEY_ALGO=secp384r1
#KEY_ALGO=rsa

grab some certs for both, the domain itself and some host

vi /etc/dehydrated/domains-http01

DOMAIN.TLD
HOST.DOMAIN.TLD

prepare the shared folder for HTTP-01 challenges

mkdir -p /var/www/dehydrated/
echo ok > /var/www/dehydrated/ok.txt
#mkdir -p /var/www/html/.well-known/acme-challenge/
#echo ok > /var/www/html/.well-known/acme-challenge/ok.txt

this goes in conjunction with every vhost setting

    # deal with http-01 challenges (no http2 there)
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        # trailing slash matters
        alias /var/www/dehydrated/;
    }

apply

nginx -t
nginx -s reload

check remotely that you are well known on the clear-text web

from a remote workstation

domain=...
host $domain
nmap -p 80 $domain
curl -i http://$domain/.well-known/acme-challenge/ok.txt

DNS-01 challenage

assuming you’ve got NSD up and running locally

cd /etc/nsd/
#wget https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/docs/examples/hook.sh
#wget https://raw.githubusercontent.com/sebastiansterk/dns-01-manual/master/hook.sh
wget https://pub.nethence.com/bin/daemons/hook.sh.txt
mv hook.sh.txt hook.sh
chmod +x hook.sh

we are pointing to our hook script here

vi /etc/dehydrated/config-dns01

IP_VERSION=4
CA="letsencrypt"
CHALLENGETYPE="dns-01"
DOMAINS_TXT="/etc/dehydrated/domains-dns01"
HOOK=/etc/nsd/hook.sh
CONTACT_EMAIL=...

grab some certs for both, the domain itself and its sub-level wildcard

vi /etc/dehydrated/domains-dns01

DOMAIN.TLD
*.DOMAIN.TLD > DOMAIN_TLD

Ready to go

accept the terms and attempt to get some CSR signed

    dehydrated --register --accept-terms
    dehydrated --config /etc/dehydrated/config-dns01 --register --accept-terms
    find /var/lib/dehydrated/accounts/

make a specific folder available for the ECC flavor of your certs

mkdir -p /var/lib/dehydrated/certs/ECC/

and eventually a symlink to reach the certs easily

ls -lF /etc/dehydrated/certs # no exist
ln -s /var/lib/dehydrated/certs /etc/dehydrated/certs

dealing with http-01

dehydrated --cron
dehydrated --cron --algo prime256v1 --out /var/lib/dehydrated/certs/ECC
dehydrated --cleanup

dealing with dns-01

dehydrated --cron --config /etc/dehydrated/config-dns01
dehydrated --cron --config /etc/dehydrated/config-dns01 --algo secp384r1 --out /var/lib/dehydrated/certs/ECC
dehydrated --cleanup --config /etc/dehydrated/config-dns01

other options

# --force

You are now ready to use those CA-signed certs with e.g. NGINX, Postfix and Dovecot.

Acceptance

copy/paste the DOMAIN_TXT somewhere remotely and proceed

for domain in `cat LALA`; do echo $domain; curl -sI https://$domain/ | head -1; echo; done; unset domain

Automation

simply run the thing in a cron job ONCE A WEEK – DON’T FORGET TO RELOAD THE DAEMONS

vi /root/WEEKLY

# it's important to have the time in sync before talking to LE
# assuming either an NTP daemon --or-- the DAILY script has been run before

echo RE-NEWING HTTP01 CERTIFICATES
echo
dehydrated --cron --keep-going
dehydrated --cron --keep-going --algo prime256v1 --out /var/lib/dehydrated/certs/ECC
echo

echo RE-NEWING DNS01 CERTIFICATES
echo
dehydrated --cron --keep-going --config /etc/dehydrated/config-dns01
dehydrated --cron --keep-going --config /etc/dehydrated/config-dns01 --algo secp384r1 --out /var/lib/dehydrated/certs/ECC
echo

# we could otherwise consider reloading only if there's a new cert with hooks
# but this doesn't harm much and we are cleaning up old certs only thereafter
echo RELOADING DAEMONS
echo
# yes, just reload is enough
nginx -s reload && echo nginx reloaded
# need to emulate a terminal to get some output - self-verbose
script --return --command "postfix reload" --append /var/log/typescript.log && echo postfix reloaded
dovecot reload && echo dovecot reloaded
echo

echo CLEANING-UP UNUSED CERTS
dehydrated --cleanup
dehydrated --cleanup --config /etc/dehydrated/config-dns01
echo

chmod +x /root/WEEKLY

Note we’re using --keep-going only for the HTTP-01 sample.

Note we’re cleaning-up AFTER having reloaded the daemons.

assuming outbound email is setup

    crontab -e

    MINUTE HOUR * * 0 /root/WEEKLY 2>&1

Additional notes

dealing with a self-defined curve

    dehydrated --signcsr $domain.csr --full-chain > $domain.crt

Resources

dehydrated https://github.com/dehydrated-io/dehydrated

Dehydrated: a bash client for Let’s Encrypt https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/

WELLKNOWN https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md

WELLKNOWN documentation gives conflicting statements #193 https://github.com/lukas2511/dehydrated/issues/193

Dehydrated и Let’s Encrypt https://sysadmin.pm/dehydrated-letsencrypt/

I can not renew a certificate (dehydrated) https://community.letsencrypt.org/t/i-can-not-renew-a-certificate-dehydrated/77487