dehydrated | dehydrated-dns | dehydrated-http | dehydrated-reload
note usually BASEDIR is /var/lib/dehydrated on debian/ubuntu systems,
while it is /etc/dehydrated on rhel & from source.
we use the latter anyhow for consistency (and it’s easier to share as a docker volume).
vi config-http01 BASEDIR=/etc/dehydrated CONTACT_EMAIL=... IP_VERSION=4 CA="https://acme-v02.api.letsencrypt.org/directory" CHALLENGETYPE="http-01" DOMAINS_TXT="/etc/dehydrated/domains-http01" WELLKNOWN="/var/www/dehydrated" #WELLKNOWN="/var/www/html/.well-known/acme-challenge" # those are defined at run-time #KEY_ALGO=prime256v1 #KEY_ALGO=secp384r1 #KEY_ALGO=rsa
grab some certs for both, the domain itself and some host
vi /etc/dehydrated/domains-http01 DOMAIN.TLD HOST.DOMAIN.TLD
prepare the shared folder for HTTP-01 challenges
mkdir -p /var/www/dehydrated/ echo ok > /var/www/dehydrated/ok.txt #mkdir -p /var/www/html/.well-known/acme-challenge/ #echo ok > /var/www/html/.well-known/acme-challenge/ok.txt
this goes in conjunction with every vhost setting
# deal with http-01 challenges (no http2 there)
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
# trailing slash matters
alias /var/www/dehydrated/;
}
apply
nginx -t nginx -s reload
check remotely that you are well known on the clear-text web
from a remote workstation
domain=... host $domain nmap -p 80 $domain curl -i http://$domain/.well-known/acme-challenge/ok.txt
accept the terms and attempt to get some CSR signed
dehydrated --config /etc/dehydrated/config-http01 --register --accept-terms find /etc/dehydrated/accounts/
dealing with http-01
dehydrated --config /etc/dehydrated/config-http01 --cron --keep-going dehydrated --cleanup