Dehydrated is a client for signing certificates with an ACME-server (e.g. Let’s Encrypt or ZeroSSL) implemented as a relatively simple bash-script.
It uses the openssl utility for everything related to actually handling keys and certificates, so you need to have that installed.
Other dependencies are: cURL, sed, grep, mktemp (all found on almost any system, cURL being the only exception)
Clone the repository from their GitHub using
git clone https://github.com/lukas2511/dehydrated on your home directory, and
cd to it, then do the following:
doas install -m0755 dehydrated /usr/local/sbin/dehydrated
doas mkdir -p /etc/dehydrated
doas install -m0644 docs/examples/config /etc/dehydrated/config
doas install -m0644 docs/examples/domains.txt /etc/dehydrated/domains.txt
doas install -m0755 docs/examples/hook.sh /etc/dehydrated/hook.sh
/etc/dehydrated/config uncomment CA, CHALLENGETYPE, DOMAINS_TXT, CERTDIR, ALPNCERTDIR, ACCOUNTDIR, WELLKNOWN, KEYSIZE and LOCKFILE. Replace the value of BASEDIR to
/etc/dehydrated, WELLKNOWN to
/var/www/acme, CONTACT_EMAIL to your team's support address,
After done, you'll have to do is running
doas dehydrated --register --accept-terms
You can clear out the domains.txt file and start adding domains one-per-line on said file, SANs can be added at the side of the domain (i.e. example.com mail.example.com)
To request certificates, you should have
httpd listening on the domain in port 80 and use the same entry like with
acme-client, then run
doas dehydrated -c and wait until it finishes.