DragonFly On-Line Manual Pages
DEHYDRATED(1) DragonFly General Commands Manual DEHYDRATED(1)
NAME
dehydrated - ACME client implemented as a shell-script
SYNOPSIS
dehydrated [command [argument]] [argument [argument]] ...
DESCRIPTION
A client for ACME-based Certificate Authorities, such as LetsEncrypt.
It can be used to request and obtain TLS certificates from an ACME-
based certificate authority.
Before any certificates can be requested, Dehydrated needs to acquire
an account with the Certificate Authorities. Optionally, an email
address can be provided. It will be used to e.g. notify about expiring
certificates. You will usually need to accept the Terms of Service of
the CA. Dehydrated will notify if no account is configured. Run with
--register --accept-terms to create a new account.
Next, all domain names must be provided in domains.txt. The format is
line based: If the file contains two lines "example.com" and
"example.net", dehydrated will request two certificate, one for
"example.com" and the other for "example.net". A single line containing
"example.com example.net" will request a single certificate valid for
both "example.net" and "example.com" through the Subject Alternative
Name (SAN) field.
For the next step, one way of verifying domain name ownership needs to
be configured. Dehydrated implements http-01 and dns-01 verification.
The http-01 verification provides proof of ownership by providing a
challenge token. In order to do that, the directory referenced in the
WELLKNOWN config variable needs to be exposed at http://{domain}/.well-
known/acme-challenge/, where {domain} is every domain name specified in
domains.txt. Dehydrated does not provide its own challenge responder,
but relies on an existing web server to provide the challenge response.
See wellknown.md for configuration examples of popular web servers.
The dns-01 verification works by providing a challenge token through
DNS. This is especially interesting for hosts that cannot be exposed
to the public Internet. Because adding records to DNS zones is
oftentimes highly specific to the software or the DNS provider at hand,
there are many third party hooks available for dehydrated. See dns-
verification.md for hooks for popular DNS servers and DNS hosters.
Finally, the certificates need to be requested and updated on a regular
basis. This can happen through a cron job or a timer. Initially, you
may enforce this by invoking dehydrated -c manually.
After a successful run, certificates are stored in
/etc/dehydrated/certs/{domain}, where {domain} is the domain name in
the first column of domains.txt.
OPTIONS
Commands
--version, -v
Print version information
--register
Register account key
--account
Update account contact information
--cron, -c
Sign/renew non-existent/changed/expiring certificates.
--signcsr, -s path/to/csr.pem
Sign a given CSR, output CRT on stdout (advanced usage)
--revoke, -r path/to/cert.pem
Revoke specified certificate
--cleanup, -gc
Move unused certificate files to archive directory
--help, -h
Show help text
--env, -e
Output configuration variables for use in other scripts
Parameters
--accept-terms
Accept CAs terms of service
--full-chain, -fc
Print full chain when using --signcsr
--ipv4, -4
Resolve names to IPv4 addresses only
--ipv6, -6
Resolve names to IPv6 addresses only
--domain, -d domain.tld
Use specified domain name(s) instead of domains.txt entry (one
certificate!)
--keep-going, -g
Keep going after encountering an error while creating/renewing
multiple certificates in cron mode
--force, -x
Force certificate renewal even if it is not due to expire within
RENEW_DAYS
--no-lock, -n
Don't use lockfile (potentially dangerous!)
--lock-suffix example.com
Suffix lockfile name with a string (useful for use with -d)
--ocsp Sets option in CSR indicating OCSP stapling to be mandatory
--privkey, -p path/to/key.pem
Use specified private key instead of account key (useful for
revocation)
--config, -f path/to/config
Use specified config file
--hook, -k path/to/hook.sh
Use specified script for hooks
--out, -o certs/directory
Output certificates into the specified directory
--challenge, -t [http-01|dns-01]
Which challenge should be used? Currently http-01 and dns-01 are
supported
--algo, -a [rsa|prime256v1|secp384r1]
Which public key algorithm should be used? Supported: rsa,
prime256v1 and secp384r1
DIAGNOSTICS
The program exits 0 if everything was fine, 1 if an error occurred.
BUGS
Please report any bugs that you may encounter at the project web site
<https://github.com/lukas2511/dehydrated/issues>.
AUTHOR
Dehydrated was written by Lukas Schauer. This man page was contributed
by Daniel Molkentin.
COPYRIGHT
Copyright 2015-2018 by Lukas Schauer and the respective contributors.
Provided under the MIT License. See the LICENSE file that accompanies
the distribution for licensing information.
SEE ALSO
Full documentation along with configuration examples are provided in
the docs directory of the distribution, or at
<https://github.com/lukas2511/dehydrated/tree/master/docs>.
Dehydrated ACME Client 2018-01-13 DEHYDRATED(1)