Let’s Encrypt Dehydrated on Debian Jessie

Let’s Encrypt is the free SSL certificate authority. Dehydrated, formerly letsencrypt.sh, is a bash script that can run as an unprivileged user and automate the process of getting SSL certs from Let’s Encrypt. Here’s how you can use Dehydrated on Debian Jessie.

You can install Dehydrated from the Jessie backport repos. So first you have to add the backports repo to your apt sources.list.d directory (/etc/apt/sources.list.d). Create a file named backports.list there and add this to it:

deb http://ftp.debian.org/debian jessie-backports main

Then update apt-get and install Dehydrated using its old name:

apt-get update && apt-get install letsencrypt.sh

The dehydrated configuration directory is /etc/letsencrypt.sh. You can add the domains you want to generate certs for in /etc/letsencrypt.sh/domains.txt. One line for each cert you want to generate:

example.com www.example.com 
example.net www.example.net
example.de www.example.de sub.example.de 

Then create a configuration file in /etc/letsencrypt.sh/conf.d/ named config.sh. Customize the following variables in it:

  • BASEDIR – The directory where the certs and account keys are generated. The certs and cert private keys will be in be domain specific directories under $BASEDIR/certs/. For example $BASEDIR/certs/example.com/.
  • WELLKNOWN – To verify ownership of domains you have to serve challenge response files under that domain name. This variable corresponds to the directory where those challenge response files are generated. Your webserver will have to serve these files under the /.well-known/acme-challenge/ URL. For example example.com/.well-known/acme-challenge/somethingortheother. So this directory has to be under the document root or aliased in your webserver config so that it looks like it is under the document root.
  • CONTACT_EMAIL – An Email address that is used when registering with Let’s Encrypt servers. Let’s Encrypt may contact you on this address to inform you about expiring certificates.

The base and wellknown directories have to be writeable by whatever user you are using to run letsencrypt.

Here’s an example config.sh file:

BASEDIR="/var/letsencrypt/"
WELLKNOWN="/var/www/html/.well-known/acme-challenge"
CONTACT_EMAIL="admin@example.com"

Now if you run letsencrypt.sh it will generate account keys, register an account with letsencrypt.org, request SSL certs, respond to challenge requests and then place the certs in BASEDIR/certs/{yourdomain}/. To automate the renewal of these certs you just create a cronjob to do this monthly:

@monthly /usr/bin/letsencrypt.sh -c

To make your webserver actually use the certs you have to point it to the symlinks in $BASEDIR/cert/{yourdomain}:

  • cert.pem – your certificate
  • privkey.pem – the private key
  • chain.pem – The certificate chain
  • fullchain.pem – chain.pem + cert.pem.

For example if you are using nginx you would configure it like so:

ssl_certificate /var/letsencrypt/certs/example.com/fullchain.pem;
ssl_certificate_key /var/letsencrypt/certs/example.com/privkey.pem;

Assuming $BASEDIR is /var/letsencrypt/

Leave a Reply

Your email address will not be published. Required fields are marked *