challenge types http-01 and dns-01
we want to allow legacy/non-ECC SSL clients (e.g. slackware.com and orange.fr outbound MTAs) to connect so we’re keeping RSA as a default. However we’re also providing ECDSA as an alternative with far more ciphers to offer as a result.
binaries
apt install dehydrated #dehydrated-apache2
from source
git clone https://github.com/lukas2511/dehydrated.git ls -lhF /usr/local/bin/dehydrated #noexist cp dehydrated/dehydrated /usr/local/bin/ dehydrated -h
mkdir -p /etc/dehydrated/ vi /etc/dehydrated/config IP_VERSION=4 CA="https://acme-v02.api.letsencrypt.org/directory" CHALLENGETYPE="http-01" WELLKNOWN="/var/www/dehydrated" #WELLKNOWN="/var/www/html/.well-known/acme-challenge" CONTACT_EMAIL=... #KEY_ALGO=prime256v1 #KEY_ALGO=secp384r1 #KEY_ALGO=rsa
prepare the shared folder for HTTP-01 challenges
mkdir -p /var/www/dehydrated/ echo ok > /var/www/dehydrated/ok.txt #mkdir -p /var/www/html/.well-known/acme-challenge/ #echo ok > /var/www/html/.well-known/acme-challenge/ok.txt
this goes in conjunction with an all vhosts setting we define in nginx.conf.
check remotely that you are well known on the clear-text web
from your workstation
curl -I http://pub.nethence.com/.well-known/acme-challenge/ok.txt
cd /root/
wget https://raw.githubusercontent.com/sebastiansterk/dns-01-manual/master/hook.sh
chmod +x hook.sh
vi /etc/dehydrated/config-dns01
IP_VERSION=4
CA="letsencrypt"
CHALLENGETYPE="dns-01"
DOMAINS_TXT="${BASEDIR}/domains-dns01.txt"
HOOK=/root/hook.sh
CONTACT_EMAIL=...
accept the terms and attempt to get your CSR signed
dehydrated --register --accept-terms
find /etc/dehydrated/accounts/
cd /etc/ssl/
yet another certificate with
KEY_ALGO=rsa
dealing with http-01
vi /etc/dehydrated/domains.txt DOMAIN.TLD HOST.DOMAIN.TLD OTHERDOMAIN.TLD mkdir -p /etc/dehydrated/certs/ECC/ dehydrated --cron dehydrated --cron --algo prime256v1 --out /etc/dehydrated/certs/ECC dehydrated --cleanup
dealing with dns-01
vi /etc/dehydrated/domains-dns01.txt *.DOMAIN.TLD > DOMAIN_TLD mkdir -p /etc/dehydrated/certs/ECC/ dehydrated --config /etc/dehydrated/config-dns01 --cron dehydrated --config /etc/dehydrated/config-dns01 --cron --algo secp384r1 --out /etc/dehydrated/certs/ECC dehydrated --cleanup
and edit your zone accordingly.
You are now ready to use those CA-signed certs with e.g. NGINX, Postfix and Dovecot.
DON’T FORGET TO RELOAD THE DAEMONS E.G.
draft: is reload enough incl. for dovecot?
vi /root/RELOAD-SSL #!/bin/bash # is reload enough? /usr/local/sbin/nginx -s reload && echo nginx reloaded /usr/sbin/postfix reload && echo postfix reloaded /usr/sbin/dovecot reload && echo dovecot reloaded chmod +x /root/RELOAD-SSL
and simply run the thing in a cron job ONCE A WEEK
# not sure at what time this is executed #vi /etc/cron.weekly/dehydrated vi /root/WEEKLY ... /usr/local/bin/dehydrated --cron --keep-going && /root/RELOAD-SSL /usr/local/bin/dehydrated --cron --keep-going --algo prime256v1 --out /etc/dehydrated/certs/ECC && /root/RELOAD-SSL # --cleanup # --force
choose a nice time of yours and don’t tell anyone (just in case somebody is doing something nasty with the network…
crontab -e XX X * * 0 /root/WEEKLY 2>&1
dealing with self-made curve?
dehydrated --signcsr $domain.csr --full-chain > $domain.crt
Dehydrated: a bash client for Let’s Encrypt https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/
WELLKNOWN https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md
WELLKNOWN documentation gives conflicting statements #193 https://github.com/lukas2511/dehydrated/issues/193
Dehydrated и Let’s Encrypt https://sysadmin.pm/dehydrated-letsencrypt/
I can not renew a certificate (dehydrated) https://community.letsencrypt.org/t/i-can-not-renew-a-certificate-dehydrated/77487
https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/domains.txt
https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation https://github.com/dehydrated-io/dehydrated/blob/master/docs/dns-verification.md https://github.com/dehydrated-io/dehydrated/wiki https://community.letsencrypt.org/t/dns-01-problem-with-dehydrated/116338 https://www.aaflalo.me/2017/02/lets-encrypt-with-dehydrated-dns-01/ https://blog.znedw.com/lets-encrypt-wildcard-nsd.html