Setting up Dehydrated

for http-01 and dns-01

Installation

git clone https://github.com/lukas2511/dehydrated.git

ls -lhF /usr/local/bin/dehydrated #noexist
cp dehydrated/dehydrated /usr/local/bin/
dehydrated -h

http-01 challenge

mkdir -p /etc/dehydrated/
cp -i dehydrated/docs/examples/config /etc/dehydrated/config.sample
vi /etc/dehydrated/config # new file

IP_VERSION=4
#ACMEv1 deprecated?
CA="https://acme-v02.api.letsencrypt.org/directory"
CHALLENGETYPE="http-01"
WELLKNOWN="/var/www/dehydrated"
#WELLKNOWN="/var/www/html/.well-known/acme-challenge"
KEY_ALGO=prime256v1
CONTACT_EMAIL=...

prepare the shared folder for HTTP-01 challenges

mkdir -p /var/www/dehydrated/
echo ok > /var/www/dehydrated/ok.txt
#mkdir -p /var/www/html/.well-known/acme-challenge/
#echo ok > /var/www/html/.well-known/acme-challenge/ok.txt

#vi /etc/nginx/sites-enabled/$domain.conf
vi /usr/local/nginx/conf/nginx.conf

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    #trailing slash matters
    alias /var/www/dehydrated/;
}

check remotely that you are well known on the clear-text web…

curl -si http://$domain/.well-known/acme-challenge/ok.txt

dns-01 challenge

cd /root/
wget https://raw.githubusercontent.com/sebastiansterk/dns-01-manual/master/hook.sh
chmod +x hook.sh

vi /etc/dehydrated/config

IP_VERSION=4
CA="letsencrypt"
CHALLENGETYPE="dns-01"
DOMAINS_TXT="${BASEDIR}/domains.txt"
HOOK=/root/hook.sh
KEY_ALGO=secp384r1
CONTACT_EMAIL=...

    dehydrated --register --accept-terms

Ready to go

accept the terms and attempt to get your CSR signed

    cd /etc/ssl/

    dehydrated --register --accept-terms
    find /etc/dehydrated/accounts/

dealing with a curve?

    dehydrated --signcsr $domain.csr --full-chain > $domain.crt

dealing with dns-01?

vi /etc/dehydrated/domains.txt

*.DOMAIN.TLD > DOMAIN_TLD

dehydrated --cron

and edit your zone accordingly. As a result you will get the wildcard certificate over there

ls -lF /etc/dehydrated/certs/DOMAIN_TLD/

Automation for http-01

It’s fast and simple. Fill-in the domains you’re hosting

vi /etc/dehydrated/domains.txt

FQDN1
FQDN2

and simply run the thing in a cron job

crontab -e

30 3 * * 0 /usr/local/bin/dehydrated --cron --keep-going --algo prime256v1
#--force

or (DON’T FORGET TO RELOAD THE DAEMONS)

vi /etc/cron.weekly/dehydrated

/usr/local/bin/dehydrated --cron --keep-going --algo prime256v1 && /usr/local/sbin/nginx -s reload

Resources

Dehydrated: a bash client for Let’s Encrypt https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/

WELLKNOWN https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md

WELLKNOWN documentation gives conflicting statements #193 https://github.com/lukas2511/dehydrated/issues/193

Dehydrated и Let’s Encrypt https://sysadmin.pm/dehydrated-letsencrypt/

I can not renew a certificate (dehydrated) https://community.letsencrypt.org/t/i-can-not-renew-a-certificate-dehydrated/77487

dns-01

https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/domains.txt

https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation https://github.com/dehydrated-io/dehydrated/blob/master/docs/dns-verification.md https://github.com/dehydrated-io/dehydrated/wiki https://community.letsencrypt.org/t/dns-01-problem-with-dehydrated/116338 https://www.aaflalo.me/2017/02/lets-encrypt-with-dehydrated-dns-01/ https://blog.znedw.com/lets-encrypt-wildcard-nsd.html


HOME | GUIDES | BENCHMARKS | html