1. Go to https://zerossl.com and create a free account.
Next install dehydrated
Code: Select all
sudo slapt-get -i dehydratedGo to the Developer section in the dashboard. Click Generate to get your EAB KID and EAB HMAC KEY. Save these immediately, as they cannot be retrieved later.
3. For ZeroSSL
3.1 Create/Edit config file: (/etc/dehydrated/config)
uncomment or add the following to point to ZeroSSL
Code: Select all
SCRIPTDIR="/etc/dehydrated"
CA="https://acme.zerossl.com/v2/DV90"
CONTACT_EMAIL="your-email@example.com"3.2. Configure EAB (Required for ZeroSSL): You must generate EAB credentials from your ZeroSSL Developer Dashboard as mention above. Add these to your configuration:
Code: Select all
EEAB_KID="your_kid_from_zerossl"
EAB_HMAC_KEY="your_hmac_key_from_zerossl"4. For Let's Encrypt
4.1 Create/Edit config file: (/etc/dehydrated/config)
uncomment or add the following to point to Let's Encrypt
Code: Select all
SCRIPTDIR="/etc/dehydrated"
CA="https://acme-v02.api.letsencrypt.org/directory"
CONTACT_EMAIL="your-email@example.com"Next steps are common for both ZeroSSL and Let's Encrypt
5. Set Challenge Type: Use CHALLENGETYPE="http-01" (default) or dns-01. Ensure your webserver handles the challenge file correctly.
6. Add domains to /etc/dehydrated/domains.txt (e.g. foo.net)
7. Validation: ZeroSSL and Let's Encrypt require a validation file to be placed in your webroot (/var/www/htdocs/.well-known/acme-challenge/)
In /etc/dehydrated/config there is the line WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge"
This path has to be as it is and have to be accessed by apache, otherwise Zer0SSL and Let's Encrypt cannot validate and create certificates.
create it if does not exist
Code: Select all
sudo mkdir -p /var/www/htdocs/.well-known/acme-challenge
sudo chown apache:apache -R /var/www/htdocs/.well-knownCode: Select all
#Include /etc/httpd/extra/httpd-ssl.confEdit /etc/httpd/extra/httpd-vhosts.conf to be as bellow
Code: Select all
<VirtualHost *:80>
ServerAdmin webmaster@foo.net
DocumentRoot "/srv/httpd/htdocs"
ServerName foo.net
ErrorLog "/var/log/httpd/foo.net-error_log"
CustomLog "/var/log/httpd/foo.net-access_log" common
</VirtualHost>
Check if apache is running (ps ax |grep httpd)
8. Register your account
Code: Select all
sudo /usr/bin//dehydrated --register --accept-termsCode: Select all
sudo /usr/bin/dehydrated -c10.1 Edit /etc/httpd/extra/httpd-ssl.conf and add these lines and comment the lines reference the same SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile
Code: Select all
SSLCertificateFile /etc/dehydrated/certs/foo.net/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs/foo.net/privkey.pem
SSLCertificateChainFile /etc/dehydrated/certs/foo.net/chain.pemThe files cert.pem, privkey.pem and chain.pem created above when run sudo /usr/bin/dehydrated -c
10.2 Edit /etc/httpd/extra/httpd-vhosts.conf to be as bellow ( Replace foo.net with your domain)
Code: Select all
####
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
####
<VirtualHost *:80>
ServerAdmin webmaster@foo.net
DocumentRoot "/srv/httpd/htdocs"
ServerName foo.net
ErrorLog "/var/log/httpd/foo.net-error_log"
CustomLog "/var/log/httpd/foo.net-access_log" common
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
ServerName foo.net
ServerAdmin webmaster@foo.net
DocumentRoot /srv/www/htdocs
ErrorLog "/var/log/httpd/foo.net-error_log"
TransferLog "/var/log/httpd/foo.net-access_log"
SSLEngine on
SSLCertificateFile /etc/dehydrated/certs/foo.net/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs/foo.net/privkey.pem
SSLCertificateChainFile /etc/dehydrated/certs/foo.ntet/chain.pem
</VirtualHost> Code: Select all
Include /etc/httpd/extra/httpd-ssl.confCheck if apache is running (ps ax |grep httpd)
Browse https://foo.net to see it is working under ZeroSSL or Let's Encrypt
12. To automate renewals add a cron job to check for renewal regularly.
Code: Select all
cat <<EOT > /etc/cron.weekly/dehydrated
# Check for renewal of certificates once per week
/usr/bin/dehydrated -c >> /var/log/dehydrated.log 2>&1
service restart httpd
EOTCode: Select all
chmod +x /etc/cron.weekly/dehydrated Code: Select all
sudo /usr/bin/dehydrated -cCode: Select all
INFO: Using main config file /etc/dehydrated/config
Processing ariadni.noip.me
Checking domain name(s) of existing cert... unchanged.
Checking expire date of existing cert...
Valid till May 22 23:59:59 2026 GMT (Longer than 32 days). Skipping renew!14. My /etc/dehydrated/config for ZeroSSL (of course i have change EAB_KID="" and EAB_HMAC_KEY=””)
Code: Select all
SCRIPTDIR="/etc/dehydrated"
CA="https://acme.zerossl.com/v2/DV90"
EAB_KID="SHSHSDHSHSzxzvxcvcx"
EAB_HMAC_KEY="ertyhgffdfhfdjjdjdfasddffgADDFFFF"
BASEDIR=$SCRIPTDIR
BASEDIR="/var/www/dehydrated"
DOMAINS_TXT="${BASEDIR}/domains.txt"
CERTDIR="${BASEDIR}/certs"
ACCOUNTDIR="${BASEDIR}/accounts"
WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge"
CONTACT_EMAIL=dijemos@gmail.com
Code: Select all
SCRIPTDIR="/etc/dehydrated"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR=$SCRIPTDIR
BASEDIR="/var/www/dehydrated"
DOMAINS_TXT="${BASEDIR}/domains.txt"
CERTDIR="${BASEDIR}/certs"
ACCOUNTDIR="${BASEDIR}/accounts"
WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge"
CONTACT_EMAIL=dijemos@gmail.com
