Updated: 12 March 2018
Let’s Encrypt is the free SSL certificate authority. Dehydrated, formerly letsencrypt.sh, is a bash script that can run as an unprivileged user and automate the process of getting SSL certs from Let’s Encrypt. Here’s how you can use Dehydrated on Debian Jessie (Debian 8).
You can install Dehydrated from the Jessie backport repos. So first you have to add the backports repo to your apt sources.list.d directory (/etc/apt/sources.list.d). Create a file named backports.list there and add this to it:
deb http://ftp.debian.org/debian jessie-backports main |
Then update apt-get and install Dehydrated:
apt-get update && apt-get install dehydrated |
The dehydrated configuration directory is /etc/dehydrated. You can add the domains you want to generate certs for in /etc/dehydrated/domains.txt. One line for each cert you want to generate:
example.com www.example.com example.net www.example.net example.de www.example.de sub.example.de
Then create a configuration file in /etc/dehydrated/conf.d/ named config.sh. Customize the following variables in it:
- BASEDIR – The directory where the certs and account keys are generated. The certs and cert private keys will be in be domain specific directories under $BASEDIR/certs/. For example $BASEDIR/certs/example.com/.
- WELLKNOWN – To verify ownership of domains you have to serve challenge response files under that domain name. This variable corresponds to the directory where those challenge response files are generated. Your webserver will have to serve these files under the /.well-known/acme-challenge/ URL. For example example.com/.well-known/acme-challenge/somethingortheother. So this directory has to be under the document root or aliased in your webserver config so that it looks like it is under the document root.
- CONTACT_EMAIL – An Email address that is used when registering with Let’s Encrypt servers. Let’s Encrypt may contact you on this address to inform you about expiring certificates.
- RENEW_DAYS – If the certificate is going to expire in less than this number of days dehydrated will renew it right away. Basically this should be the length of time between cron job runs so I suggest setting it to 31. The default is 30 which is not going to suffice if you use a monthly cron job because that will always run on the 1st of the month regardless of the number of days in the month.
The base and wellknown directories have to be writeable by whatever user you are using to run dehydrated.
Here’s an example config.sh file:
BASEDIR="/var/letsencrypt/" WELLKNOWN="/var/www/html/.well-known/acme-challenge" CONTACT_EMAIL="admin@example.com" |
Now if you run /usr/bin/dehydrated it will generate account keys, register an account with letsencrypt.org, request SSL certs, respond to challenge requests and then place the certs in BASEDIR/certs/{yourdomain}/.
To make your webserver actually use the certs you have to point it to the symlinks in $BASEDIR/cert/{yourdomain}:
- cert.pem – your certificate
- privkey.pem – the private key
- chain.pem – The certificate chain
- fullchain.pem – chain.pem + cert.pem.
For example if you are using nginx you would configure it like so:
ssl_certificate /var/letsencrypt/certs/example.com/fullchain.pem; ssl_certificate_key /var/letsencrypt/certs/example.com/privkey.pem; |
Assuming $BASEDIR is /var/letsencrypt/
Automating cert renewal
To automate the renewal of these certs you have to do two things. You have to run dehydrated to actually renew the certs and then you have to instruct your webserver to use the new certs because Nginx, for instance, won’t use the new certs until you tell it to reload its configuration files.
So as root let’s create a script for the cronjob at /etc/cron.monthly/dehydrated:
#!/bin/bash sudo -u username /usr/bin/dehydrated -c service nginx reload |
chmod +x this file.
That’s it! Now it should run once a month and renew the certs if there is less than 31 days to their expiration.
🙂 OK !
Thanks for the useful post!