Skip to content

mksh‑ and MirBSD-compatible and feature-enhanced fork of the original dehydrated, a letsencrypt/acme client written in shell

License

Notifications You must be signed in to change notification settings

MirBSD/dehydrated

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

dehydrated-mir — a fork of a stable version of the original dehydrated, for mksh and MirBSD but also others

The upstream README.md contents follow, slightly modified if suitable, but keep in mind, while reading, that this is not the original.

$ git clone https://evolvis.org/anonscm/git/useful-scripts/dehydrated-mir.git

https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=useful-scripts/dehydrated-mir.git

The main branch is called “stable”. Use…

$ git config remote.origin.url https://evolvis.org/anonscm/git/useful-scripts/dehydrated-mir.git
$ git pull

↑ to update clones from the now-deprecated github repository.


Quick note: dehydrated moved, the license will NOT change, and I will still take care of the project. See https://lukas.im/2020/01/30/selling-dehydrated/index.html for more details.

Dehydrated is a client for signing certificates with an ACME-server (e.g. Let's Encrypt) implemented as a relatively simple (zsh-compatible) bash-script. This client supports both ACME v1 and the new ACME v2 including support for wildcard certificates!

It uses the openssl utility for everything related to actually handling keys and certificates, so you need to have that installed.

Other dependencies are: cURL, sed, grep, awk, mktemp (all found pre-installed on almost any system, cURL being the only exception).

Current features:

  • Signing of a list of domains (including wildcard domains!)
  • Signing of a custom CSR (either standalone or completely automated using hooks!)
  • Renewal if a certificate is about to expire or defined set of domains changed
  • Certificate revocation

Please keep in mind that this software, the ACME-protocol and all supported CA servers out there are relatively young and there might be a few issues. Feel free to report any issues you find with this script or contribute by submitting a pull request, but please check for duplicates first (feel free to comment on those to get things rolling).

Getting started

For getting started I recommend taking a look at docs/domains_txt.md, docs/wellknown.md and the Usage section on this page (you'll probably only need the -c option).

Generally you want to set up your WELLKNOWN path first, and then fill in domains.txt.

Please note that you should use the staging URL when experimenting with this script to not hit Let's Encrypt's rate limits. See docs/staging.md.

If you have any problems take a look at our Troubleshooting guide.

Generated files

$BASEDIR/certs/domain/ will contain the following files (symlinks, actually):

  • cert.csr — the CSR, not that you’ll need it
  • cert.pem — the certificate
  • chain.pem — the certificate chain
  • fullchain.pem — the certificate followed by the chain
  • privkey.pem — the private key

To actually meaningfully do something with the certificate after update, place a daily run of dehydrated -c | logger -t dehydrated into your crontab, and set HOOK in the configuration to an executable file that takes the following arguments:

$HOOK `deploy_cert` _domain_ _path-to_/`privkey.pem` _path-to_/`cert.pem` _path-to_/`fullchain.pem` _path-to_/`chain.pem` _timestamp_

The hook script must be written in a way to silently ignore (print nothing, exit 0) any other $1 value.

Config

dehydrated is looking for a config file in a few different places, it will use the first one it can find in this order:

  • /etc/dehydrated/config
  • /usr/local/etc/dehydrated/config
  • The current working directory of your shell
  • The directory from which dehydrated was run

Have a look at docs/examples/config to get started, copy it to e.g. /etc/dehydrated/config and edit it to fit your needs.

Usage:

Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...

Default command: help

Commands:
 --version (-v)                   Print version information
 --register                       Register account key
 --account                        Update account contact information
 --cron (-c)                      Sign/renew non-existent/changed/expiring certificates.
 --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage)
 --revoke (-r) path/to/cert.pem   Revoke specified certificate
 --cleanup (-gc)                  Move unused certificate files to archive directory
 --help (-h)                      Show help text
 --env (-e)                       Output configuration variables for use in other scripts

Parameters:
 --accept-terms                   Accept CAs terms of service
 --full-chain (-fc)               Print full chain when using --signcsr
 --ipv4 (-4)                      Resolve names to IPv4 addresses only
 --ipv6 (-6)                      Resolve names to IPv6 addresses only
 --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
 --alias certalias                Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
 --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
 --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
 --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
 --lock-suffix example.com        Suffix lockfile name with a string (useful for with -d)
 --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
 --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
 --config (-f) path/to/config     Use specified config file
 --hook (-k) path/to/hook.sh      Use specified script for hooks
 --out (-o) certs/directory       Output certificates into the specified directory
 --alpn alpn-certs/directory      Output alpn verification certificates into the specified directory
 --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported
 --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1

Donate

Fork note: this fork (dehydrated-mir) is bugfixed and improved by mirabilos, for MirBSD support, mksh support, more examples, proxymap, etc.

The following information is from the base (dehydrated) software and may be out of date:

I'm a student hacker with a few (unfortunately) quite expensive hobbies (self-hosting, virtualization clusters, routing, high-speed networking, embedded hardware, etc.). I'm really having fun playing around with hard- and software and I'm steadily learning new things. Without those hobbies I probably would never have started working on dehydrated to begin with :)

I'd really appreciate if you could donate a bit of money so I can buy cool stuff (while still being able to afford food :D).

If you have hardware laying around that you think I'd enjoy playing with (e.g. decommissioned but still modern-ish servers, 10G networking hardware, enterprise grade routers or APs, interesting ARM/MIPS boards, etc.) and that you would be willing to ship to me please contact me at [email protected] or on Twitter @lukas2511.

If you want your name to be added to the donations list please add a note or send me an email [email protected]. I respect your privacy and won't publish your name without permission.

Other ways of donating:

About

mksh‑ and MirBSD-compatible and feature-enhanced fork of the original dehydrated, a letsencrypt/acme client written in shell

Topics

Resources

License

Stars

Watchers

Forks

Languages

  • Shell 100.0%