Configure
Dehydrated is a client for signing certificates with an ACME-server (e.g. Let’s Encrypt or ZeroSSL) implemented as a relatively simple bash-script.
It uses the openssl utility for everything related to actually handling keys and certificates, so you need to have that installed.
Other dependencies are: cURL, sed, grep, mktemp (all found on almost any system, cURL being the only exception)
Installation
Clone the repository from their GitHub using git clone https://github.com/lukas2511/dehydrated on your home directory, and cd to it, then do the following:
doas install -m0755 dehydrated /usr/local/sbin/dehydrateddoas mkdir -p /etc/dehydrateddoas install -m0644 docs/examples/config /etc/dehydrated/configdoas install -m0644 docs/examples/domains.txt /etc/dehydrated/domains.txtdoas install -m0755 docs/examples/hook.sh /etc/dehydrated/hook.sh
Setup
In /etc/dehydrated/config uncomment CA, CHALLENGETYPE, DOMAINS_TXT, CERTDIR, ALPNCERTDIR, ACCOUNTDIR, WELLKNOWN, KEYSIZE and LOCKFILE. Replace the value of BASEDIR to /etc/dehydrated, WELLKNOWN to /var/www/acme, CONTACT_EMAIL to your team's support address,
After done, you'll have to do is running doas dehydrated --register --accept-terms
You can clear out the domains.txt file and start adding domains one-per-line on said file, SANs can be added at the side of the domain (i.e. example.com mail.example.com)
To request certificates, you should have httpd listening on the domain in port 80 and use the same entry like with acme-client, then run doas dehydrated -c and wait until it finishes.