Dehydrated is a client for signing certificates with an ACME-server (e.g. Let’s Encrypt or ZeroSSL) implemented as a relatively simple bash-script.

It uses the openssl utility for everything related to actually handling keys and certificates, so you need to have that installed.

Other dependencies are: cURL, sed, grep, mktemp (all found on almost any system, cURL being the only exception)


Clone the repository from their GitHub using git clone on your home directory, and cd to it, then do the following:

  • doas install -m0755 dehydrated /usr/local/sbin/dehydrated
  • doas mkdir -p /etc/dehydrated
  • doas install -m0644 docs/examples/config /etc/dehydrated/config
  • doas install -m0644 docs/examples/domains.txt /etc/dehydrated/domains.txt
  • doas install -m0755 docs/examples/ /etc/dehydrated/


In /etc/dehydrated/config uncomment CA, CHALLENGETYPE, DOMAINS_TXT, CERTDIR, ALPNCERTDIR, ACCOUNTDIR, WELLKNOWN, KEYSIZE and LOCKFILE. Replace the value of BASEDIR to /etc/dehydrated, WELLKNOWN to /var/www/acme, CONTACT_EMAIL to your team's support address,

After done, you'll have to do is running doas dehydrated --register --accept-terms

You can clear out the domains.txt file and start adding domains one-per-line on said file, SANs can be added at the side of the domain (i.e.

To request certificates, you should have httpd listening on the domain in port 80 and use the same entry like with acme-client, then run doas dehydrated -c and wait until it finishes.