Let’s Encrypt Dehydrated on Debian Jessie

Updated: 12 March 2018

Let’s Encrypt is the free SSL certificate authority. Dehydrated, formerly letsencrypt.sh, is a bash script that can run as an unprivileged user and automate the process of getting SSL certs from Let’s Encrypt. Here’s how you can use Dehydrated on Debian Jessie (Debian 8).

You can install Dehydrated from the Jessie backport repos. So first you have to add the backports repo to your apt sources.list.d directory (/etc/apt/sources.list.d). Create a file named backports.list there and add this to it:

deb http://ftp.debian.org/debian jessie-backports main

Then update apt-get and install Dehydrated:

apt-get update && apt-get install dehydrated

The dehydrated configuration directory is /etc/dehydrated. You can add the domains you want to generate certs for in /etc/dehydrated/domains.txt. One line for each cert you want to generate:

example.com www.example.com 
example.net www.example.net
example.de www.example.de sub.example.de 

Then create a configuration file in /etc/dehydrated/conf.d/ named config.sh. Customize the following variables in it:

  • BASEDIR – The directory where the certs and account keys are generated. The certs and cert private keys will be in be domain specific directories under $BASEDIR/certs/. For example $BASEDIR/certs/example.com/.
  • WELLKNOWN – To verify ownership of domains you have to serve challenge response files under that domain name. This variable corresponds to the directory where those challenge response files are generated. Your webserver will have to serve these files under the /.well-known/acme-challenge/ URL. For example example.com/.well-known/acme-challenge/somethingortheother. So this directory has to be under the document root or aliased in your webserver config so that it looks like it is under the document root.
  • CONTACT_EMAIL – An Email address that is used when registering with Let’s Encrypt servers. Let’s Encrypt may contact you on this address to inform you about expiring certificates.
  • RENEW_DAYS – If the certificate is going to expire in less than this number of days dehydrated will renew it right away. Basically this should be the length of time between cron job runs so I suggest setting it to 31. The default is 30 which is not going to suffice if you use a monthly cron job because that will always run on the 1st of the month regardless of the number of days in the month.

The base and wellknown directories have to be writeable by whatever user you are using to run dehydrated.

Here’s an example config.sh file:


Now if you run /usr/bin/dehydrated it will generate account keys, register an account with letsencrypt.org, request SSL certs, respond to challenge requests and then place the certs in BASEDIR/certs/{yourdomain}/.

To make your webserver actually use the certs you have to point it to the symlinks in $BASEDIR/cert/{yourdomain}:

  • cert.pem – your certificate
  • privkey.pem – the private key
  • chain.pem – The certificate chain
  • fullchain.pem – chain.pem + cert.pem.

For example if you are using nginx you would configure it like so:

ssl_certificate /var/letsencrypt/certs/example.com/fullchain.pem;
ssl_certificate_key /var/letsencrypt/certs/example.com/privkey.pem;

Assuming $BASEDIR is /var/letsencrypt/

Automating cert renewal

To automate the renewal of these certs you have to do two things. You have to run dehydrated to actually renew the certs and then you have to instruct your webserver to use the new certs because Nginx, for instance, won’t use the new certs until you tell it to reload its configuration files.

So as root let’s create a script for the cronjob at /etc/cron.monthly/dehydrated:

sudo -u username /usr/bin/dehydrated -c 
service nginx reload

chmod +x this file.

That’s it! Now it should run once a month and renew the certs if there is less than 31 days to their expiration.

2 thoughts on “Let’s Encrypt Dehydrated on Debian Jessie

Leave a Reply

Your email address will not be published. Required fields are marked *