Steps to configure Dehydrated for ZeroSSL and Let's Encrypt

Post Reply
djemos
Salix Warrior
Posts: 1491
Joined: 29. Dec 2009, 13:45
Location: Greece

Steps to configure Dehydrated for ZeroSSL and Let's Encrypt

Post by djemos »

Steps to configure Dehydrated for ZeroSSL and Let's Encrypt

1. Go to https://zerossl.com and create a free account.

Next install dehydrated

Code: Select all

sudo slapt-get -i dehydrated
2. ZeroSSL requires using External Account Binding (EAB) credentials, as ZeroSSL requires these to link ACME client requests to your account.
Go to the Developer section in the dashboard. Click Generate to get your EAB KID and EAB HMAC KEY. Save these immediately, as they cannot be retrieved later.

3. For ZeroSSL
3.1 Create/Edit config file: (/etc/dehydrated/config)
uncomment or add the following to point to ZeroSSL

Code: Select all

SCRIPTDIR="/etc/dehydrated"
CA="https://acme.zerossl.com/v2/DV90"
CONTACT_EMAIL="your-email@example.com"
Replace your-email and example.com with your real email address.

3.2. Configure EAB (Required for ZeroSSL): You must generate EAB credentials from your ZeroSSL Developer Dashboard as mention above. Add these to your configuration:

Code: Select all

EEAB_KID="your_kid_from_zerossl"
EAB_HMAC_KEY="your_hmac_key_from_zerossl"

4. For Let's Encrypt
4.1 Create/Edit config file: (/etc/dehydrated/config)
uncomment or add the following to point to Let's Encrypt

Code: Select all

SCRIPTDIR="/etc/dehydrated"
CA="https://acme-v02.api.letsencrypt.org/directory"
CONTACT_EMAIL="your-email@example.com"
Replace your-email and example.com with your real email address.

Next steps are common for both ZeroSSL and Let's Encrypt
5. Set Challenge Type: Use CHALLENGETYPE="http-01" (default) or dns-01. Ensure your webserver handles the challenge file correctly.

6. Add domains to /etc/dehydrated/domains.txt (e.g. foo.net)

7. Validation: ZeroSSL and Let's Encrypt require a validation file to be placed in your webroot (/var/www/htdocs/.well-known/acme-challenge/)
create it if does not exist

Code: Select all

sudo mkdir -p /var/www/htdocs/.well-known/acme-challenge
sudo chown apache:apache -R /var/www/htdocs/.well-known
Be sure that apache is running as http. comment the line

Code: Select all

#Include /etc/httpd/extra/httpd-ssl.conf
in /etc/httpd/httpd.conf and restart apache (sudo service restart httpd
Check if apache is running (ps ax |grep httpd)

8. Register your account

Code: Select all

sudo /usr/bin//dehydrated --register --accept-terms
9. Run the script to generate the certificate.

Code: Select all

sudo /usr/bin/dehydrated -c
10. Stop apache (sudo killall httpd and check it is not running ps ax |grep httpd)

10.1 Edit /etc/httpd/extra/httpd-ssl.conf and add these lines and comment the lines reference the same SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile

Code: Select all

SSLCertificateFile       /etc/dehydrated/certs/foo.net/cert.pem
SSLCertificateKeyFile    /etc/dehydrated/certs/foo.net/privkey.pem
SSLCertificateChainFile  /etc/dehydrated/certs/foo.net/chain.pem
Replace foo.net with your domain.
The files cert.pem, privkey.pem and chain.pem created above when run sudo /usr/bin/dehydrated -c

10.2 Edit /etc/httpd/extra/httpd-vhosts.conf and these lines ( Replace foo.net with your domain)

Code: Select all

<VirtualHost foo.net:80>
	ServerAdmin webmaster@foo.net
	DocumentRoot "/srv/httpd/htdocs"
	ServerName ariadni.noip.me
	<If "%{REQUEST_URI} !~ m#/\.well-known/acme-challenge/#">
	   Redirect permanent / https://foo.net
	</If>
</VirtualHost>   

<VirtualHost foo.net:443>
	ServerName foo.net
	ServerAdmin webmaster@foo.net
	DocumentRoot /srv/www/htdocs
</VirtualHost>
11. Edit /etc/httpd/httpd.conf and comment out the line

Code: Select all

Include /etc/httpd/extra/httpd-ssl.conf
restart apache (sudo service restart httpd)
Check if apache is running (ps ax |grep httpd)
Browse https://foo.net to see it is working under ZeroSSL

12. To automate renewals add a cron job to check for renewal regularly.

Code: Select all

 cat <<EOT > /etc/cron.weekly/dehydrated
# Check for renewal of certificates once per week
/usr/bin/dehydrated -c >> /var/log/dehydrated.log 2>&1
service restart httpd
EOT
Make it executable

Code: Select all

chmod +x /etc/cron.weekly/dehydrated
13. Run

Code: Select all

sudo /usr/bin/dehydrated -c
you will see something like bellow (It is from my site)

Code: Select all

INFO: Using main config file /etc/dehydrated/config
Processing ariadni.noip.me
Checking domain name(s) of existing cert... unchanged.
Checking expire date of existing cert...
Valid till May 22 23:59:59 2026 GMT (Longer than 32 days). Skipping renew!

14. My /etc/dehydrated/config for ZeroSSL (of course i have change EAB_KID="" and EAB_HMAC_KEY=””)

Code: Select all

SCRIPTDIR="/etc/dehydrated"
CA="https://acme.zerossl.com/v2/DV90" 
EAB_KID="SHSHSDHSHSzxzvxcvcx" 
EAB_HMAC_KEY="ertyhgffdfhfdjjdjdfasddffgADDFFFF" 
BASEDIR=$SCRIPTDIR 
BASEDIR="/var/www/dehydrated"
DOMAINS_TXT="${BASEDIR}/domains.txt"
CERTDIR="${BASEDIR}/certs"
ACCOUNTDIR="${BASEDIR}/accounts"
WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge" 
CONTACT_EMAIL=dijemos@gmail.com
15. My /etc/dehydrated/config for Let's Encrypt

Code: Select all

SCRIPTDIR="/etc/dehydrated"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR=$SCRIPTDIR 
BASEDIR="/var/www/dehydrated"
DOMAINS_TXT="${BASEDIR}/domains.txt"
CERTDIR="${BASEDIR}/certs"
ACCOUNTDIR="${BASEDIR}/accounts"
WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge" 
CONTACT_EMAIL=dijemos@gmail.com
Top
Post Reply

Return to “Documentation”