Dehydrated patronizes for signing certificates with an ACME-server (e.g. Let’s Encrypt) carried out as a fairly basic (zsh-compatible) bash-script. This customer supports both ACME v1 and the brand-new ACME v2 consisting of assistance for wildcard certificates!
It utilizes the openssl
energy for whatever associated to in fact dealing with secrets and certificates, so you require to have actually that set up.
Other reliances are: cURL, sed, grep, awk, mktemp (all discovered pre-installed on nearly any system, cURL being the only exception).
Present functions:
- Signing of a list of domains (consisting of wildcard domains!)
- Signing of a custom-made CSR (either standalone or totally automated utilizing hooks!)
- Renewal if a certificate will end or specified set of domains altered
- Certificate cancellation
- and lots more.
Please remember that this software application, the ACME-protocol and all supported CA servers out there are reasonably young and there may be a couple of problems. Do not hesitate to report any problems you discover with this script or contribute by sending a pull demand, however please look for duplicates initially (do not hesitate to talk about those to get things rolling).
Beginning
For getting going I suggest having a look at docs/domains _ txt.md docs/wellknown. md and the Use area on this page (you’ll most likely just require the -c
alternative).
Typically you wish to establish your WELLKNOWN course initially, and after that complete domains.txt.
Please keep in mind that you ought to utilize the staging URL when explore this script to not strike Let’s Encrypt’s rate limitations. See docs/staging. md
If you have any issues have a look at our Fixing guide.
Config
dehydrated is searching for a config file in a couple of various locations, it will utilize the very first one it can discover in this order:
/etc/dehydrated/config
/usr/local/etc/dehydrated/config
- The present working directory site of your shell
- The directory site from which dehydrated was run
Take a look at docs/examples/config to get going, copy it to e.g. /etc/dehydrated/config
and modify it to fit your requirements.
Use:
Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
Default command: help
Commands:
--version (-v) Print version information
--display-terms Display current terms of service
--register Register account key
--account Update account contact information
--cron (-c) Sign/renew non-existent/changed/expiring certificates.
--signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage)
--revoke (-r) path/to/cert.pem Revoke specified certificate
--deactivate Deactivate account
--cleanup (-gc) Move unused certificate files to archive directory
--cleanup-delete (-gcd) Deletes (!) unused certificate files
--help (-h) Show help text
--env (-e) Output configuration variables for use in other scripts
Parameters:
--accept-terms Accept CAs terms of service
--full-chain (-fc) Print full chain when using --signcsr
--ipv4 (-4) Resolve names to IPv4 addresses only
--ipv6 (-6) Resolve names to IPv6 addresses only
--domain (-d) domain.tld Use specified domain name(s) instead of domains.txt entry (one certificate!)
--ca url/preset Use specified CA URL or preset
--alias certalias Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
--keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode
--force (-x) Force certificate renewal even if it is not due to expire within RENEW_DAYS
--force-validation Force revalidation of domain names (used in combination with --force)
--no-lock (-n) Don't use lockfile (potentially dangerous!)
--lock-suffix example.com Suffix lockfile name with a string (useful for with -d)
--ocsp Sets option in CSR indicating OCSP stapling to be mandatory
--privkey (-p) path/to/key.pem Use specified private key instead of account key (useful for revocation)
--domains-txt path/to/domains.txt Use specified domains.txt instead of default/configured one
--config (-f) path/to/config Use specified config file
--hook (-k) path/to/hook.sh Use specified script for hooks
--preferred-chain issuer-cn Use alternative certificate chain identified by issuer CN
--out (-o) certs/directory Output certificates into the specified directory
--alpn alpn-certs/directory Output alpn verification certificates into the specified directory
--challenge (-t) http-01|dns-01|tls-alpn-01 Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported
--algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
Chat
Dehydrated has a main IRC-channel #dehydrated
on libera.chat that can be utilized for basic conversation and tips.
The channel can likewise be accessed with Matrix utilizing the main libera.chat bridge at #dehydrated:libera.chat