challenge types http-01 and dns-01
we want to allow legacy/non-ECC SSL clients (e.g. slackware.com and orange.fr outbound MTAs) to connect so we’re keeping RSA as a default. However we’re also providing ECDSA as an alternative with far more ciphers to offer as a result.
debian/ubuntu
apt install dehydrated #dehydrated-apache2 rmdir /etc/dehydrated/conf.d/
freebsd
pkg install dehydrated ln -s /usr/local/etc/dehydrated /etc/dehydrated ln -s /usr/local/www/dehydrated /var/lib/dehydrated echo weekly_dehydrated_enable=yes >> /etc/periodic.conf #echo daily_dehydrated_enable=yes >> /etc/rc.conf
from source
# no exist ls -lhF /usr/local/bin/dehydrated git clone https://github.com/lukas2511/dehydrated.git cp -f dehydrated/dehydrated /usr/local/bin/ dehydrated -h mkdir /etc/dehydrated/
cd /etc/dehydrated/ mv -i config config.dist grep -vE '^#|^$' config.dist > config.clean # new file vi config
# debian/ubuntu BASEDIR=/var/lib/dehydrated # rhel & from source BASEDIR=/etc/dehydrated CONTACT_EMAIL=... IP_VERSION=4 CA="https://acme-v02.api.letsencrypt.org/directory" CHALLENGETYPE="http-01" DOMAINS_TXT="/etc/dehydrated/domains-http01" WELLKNOWN="/var/www/dehydrated" #WELLKNOWN="/var/www/html/.well-known/acme-challenge" # those are defined at run-time #KEY_ALGO=prime256v1 #KEY_ALGO=secp384r1 #KEY_ALGO=rsa
grab some certs for both, the domain itself and some host
vi /etc/dehydrated/domains-http01 DOMAIN.TLD HOST.DOMAIN.TLD
prepare the shared folder for HTTP-01 challenges
mkdir -p /var/www/dehydrated/ echo ok > /var/www/dehydrated/ok.txt #mkdir -p /var/www/html/.well-known/acme-challenge/ #echo ok > /var/www/html/.well-known/acme-challenge/ok.txt
this goes in conjunction with every vhost setting
# deal with http-01 challenges (no http2 there)
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
# trailing slash matters
alias /var/www/dehydrated/;
}
apply
nginx -t nginx -s reload
check remotely that you are well known on the clear-text web
from a remote workstation
domain=... host $domain nmap -p 80 $domain curl -i http://$domain/.well-known/acme-challenge/ok.txt
assuming you’ve got NSD up and running locally
cd /etc/nsd/ #wget https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/docs/examples/hook.sh #wget https://raw.githubusercontent.com/sebastiansterk/dns-01-manual/master/hook.sh wget https://pub.nethence.com/bin/daemons/hook.sh.txt mv hook.sh.txt hook.sh chmod +x hook.sh
we are pointing to our hook script here
vi /etc/dehydrated/config-dns01 IP_VERSION=4 CA="letsencrypt" CHALLENGETYPE="dns-01" DOMAINS_TXT="/etc/dehydrated/domains-dns01" CONTACT_EMAIL=... HOOK=/etc/nsd/hook.sh
grab some certs for both, the domain itself and its sub-level wildcard
vi /etc/dehydrated/domains-dns01 DOMAIN.TLD *.DOMAIN.TLD > DOMAIN_TLD
accept the terms and attempt to get some CSR signed
dehydrated --register --accept-terms
dehydrated --config /etc/dehydrated/config-dns01 --register --accept-terms
# debian12 & from source
find /etc/dehydrated/accounts/
make a specific folder available for the RSA vs ECC flavors
mkdir -p /var/lib/dehydrated/certs/RSA/ mkdir -p /var/lib/dehydrated/certs/ECC/
and eventually a symlink to reach the certs easily
ls -lF /etc/dehydrated/certs # no exist ln -s /var/lib/dehydrated/certs /etc/dehydrated/certs
dealing with http-01
# debian/ubuntu dehydrated --cron --algo prime256v1 --out /var/lib/dehydrated/certs/ECC dehydrated --cron --algo rsa --out /var/lib/dehydrated/certs/RSA # rhel dehydrated --cron --algo prime256v1 --out /etc/dehydrated/certs/ECC dehydrated --cron --algo rsa --out /etc/dehydrated/certs/RSA dehydrated --cleanup
dealing with dns-01
dehydrated --cron --config /etc/dehydrated/config-dns01 --algo rsa --out /var/lib/dehydrated/certs/RSA dehydrated --cron --config /etc/dehydrated/config-dns01 --algo secp384r1 --out /var/lib/dehydrated/certs/ECC dehydrated --cleanup --config /etc/dehydrated/config-dns01
other options
# --force
You are now ready to use those CA-signed certs with e.g. NGINX, Postfix and Dovecot.
copy/paste the DOMAIN_TXT somewhere remotely and proceed
for domain in `cat LALA`; do echo $domain; curl -sI https://$domain/ | head -1; echo; done; unset domain
simply run the thing in a cron job ONCE A WEEK – DON’T FORGET TO RELOAD THE DAEMONS
vi /root/WEEKLY
# it's important to have the time in sync before talking to LE # assuming either an NTP daemon --or-- the DAILY script has been run before echo RE-NEWING HTTP01 CERTIFICATES echo dehydrated --cron --keep-going --algo rsa --out /var/lib/dehydrated/certs/RSA dehydrated --cron --keep-going --algo prime256v1 --out /var/lib/dehydrated/certs/ECC echo echo RE-NEWING DNS01 CERTIFICATES echo dehydrated --cron --keep-going --config /etc/dehydrated/config-dns01 --algo rsa --out /var/lib/dehydrated/certs/RSA dehydrated --cron --keep-going --config /etc/dehydrated/config-dns01 --algo secp384r1 --out /var/lib/dehydrated/certs/ECC echo # we could otherwise consider reloading only if there's a new cert with hooks # but this doesn't harm much and we are cleaning up old certs only thereafter echo RELOADING DAEMONS echo # yes, just reload is enough nginx -s reload && echo nginx reloaded # need to emulate a terminal to get some output - self-verbose script --return --command "postfix reload" --append /var/log/typescript.log && echo postfix reloaded dovecot reload && echo dovecot reloaded echo echo CLEANING-UP UNUSED CERTS dehydrated --cleanup dehydrated --cleanup --config /etc/dehydrated/config-dns01 echo
chmod +x /root/WEEKLY
Note we’re using --keep-going only for the HTTP-01 sample.
Note we’re cleaning-up AFTER having reloaded the daemons.
assuming outbound email is setup
crontab -e
MINUTE HOUR * * 0 /root/WEEKLY 2>&1
dealing with a self-defined curve
dehydrated --signcsr $domain.csr --full-chain > $domain.crt
dehydrated https://github.com/dehydrated-io/dehydrated
Dehydrated: a bash client for Let’s Encrypt https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/
WELLKNOWN https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md
WELLKNOWN documentation gives conflicting statements #193 https://github.com/lukas2511/dehydrated/issues/193
Dehydrated и Let’s Encrypt https://sysadmin.pm/dehydrated-letsencrypt/
I can not renew a certificate (dehydrated) https://community.letsencrypt.org/t/i-can-not-renew-a-certificate-dehydrated/77487
Home https://github.com/dehydrated-io/dehydrated/wiki
dehydrated/docs/examples/domains.txt https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/domains.txt
dns-01 challenge https://github.com/dehydrated-io/dehydrated/blob/master/docs/dns-verification.md
example dns 01 nsupdate script https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script
https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation
https://community.letsencrypt.org/t/dns-01-problem-with-dehydrated/116338
https://www.aaflalo.me/2017/02/lets-encrypt-with-dehydrated-dns-01/
https://blog.znedw.com/lets-encrypt-wildcard-nsd.html
ACME v2 Support #420 https://github.com/dehydrated-io/dehydrated/issues/420
What is this openvt command doing? https://unix.stackexchange.com/questions/356790/what-is-this-openvt-command-doing