dehydrated | dehydrated-dns | dehydrated-http | dehydrated-reload
cd /etc/dehydrated/
mv -i config config.dist
grep -vE '^#|^$' config.dist > config.clean
# new file
vi config
# debian/ubuntu
BASEDIR=/var/lib/dehydrated
# rhel & from source
BASEDIR=/etc/dehydrated
CONTACT_EMAIL=...
IP_VERSION=4
CA="https://acme-v02.api.letsencrypt.org/directory"
CHALLENGETYPE="http-01"
DOMAINS_TXT="/etc/dehydrated/domains-http01"
WELLKNOWN="/var/www/dehydrated"
#WELLKNOWN="/var/www/html/.well-known/acme-challenge"
# those are defined at run-time
#KEY_ALGO=prime256v1
#KEY_ALGO=secp384r1
#KEY_ALGO=rsa
grab some certs for both, the domain itself and some host
vi /etc/dehydrated/domains-http01
DOMAIN.TLD
HOST.DOMAIN.TLD
prepare the shared folder for HTTP-01 challenges
mkdir -p /var/www/dehydrated/
echo ok > /var/www/dehydrated/ok.txt
#mkdir -p /var/www/html/.well-known/acme-challenge/
#echo ok > /var/www/html/.well-known/acme-challenge/ok.txt
this goes in conjunction with every vhost setting
# deal with http-01 challenges (no http2 there)
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
# trailing slash matters
alias /var/www/dehydrated/;
}
apply
nginx -t
nginx -s reload
check remotely that you are well known on the clear-text web
from a remote workstation
domain=...
host $domain
nmap -p 80 $domain
curl -i http://$domain/.well-known/acme-challenge/ok.txt
accept the terms and attempt to get some CSR signed
dehydrated --register --accept-terms
find /etc/dehydrated/accounts/
ealing with http-01
# debian/ubuntu & freebsd
#dehydrated --cron --algo rsa --out /var/lib/dehydrated/certs/RSA
dehydrated --cron --algo prime256v1 --out /var/lib/dehydrated/certs/prime256v1
dehydrated --cron --algo secp384r1 --out /var/lib/dehydrated/certs/secp384r1
# rhel
#dehydrated --cron --algo rsa --out /etc/dehydrated/certs/RSA
dehydrated --cron --algo prime256v1 --out /etc/dehydrated/certs/prime256v1
dehydrated --cron --algo secp384r1 --out /etc/dehydrated/certs/secp384r1
# shared
dehydrated --cleanup