1. Go to https://zerossl.com and create a free account.
Next install dehydrated
Code: Select all
sudo slapt-get -i dehydratedZeroSSL requires using External Account Binding (EAB) credentials, as ZeroSSL requires these to link ACME client requests to your account.
Go to the Developer section in the dashboard. Click Generate to get your EAB KID and EAB HMAC KEY. Save these immediately, as they cannot be retrieved later.
Copy paste code bellow to /etc/dehydrated/config-zerossl
Replace EAB_KID="aaaxxxc" and EAB_HMAC_KEY="eeetttbbb" with your own.
Code: Select all
########################################################
# This is the main config file for dehydrated #
# #
# This file is looked for in the following locations: #
# $SCRIPTDIR/config (next to this script) #
# /usr/local/etc/dehydrated/config #
# /etc/dehydrated/config #
# ${PWD}/config (in current working-directory) #
# #
# Default values of this config are in comments #
########################################################
SCRIPTDIR="/etc/dehydrated"
# Which user should dehydrated run as? This will be implicitly enforced when running as root
#DEHYDRATED_USER=
# Which group should dehydrated run as? This will be implicitly enforced when running as root
#DEHYDRATED_GROUP=
# Resolve names to addresses of IP version only. (curl)
# supported values: 4, 6
# default: <unset>
#IP_VERSION=
# URL to certificate authority or internal preset
# Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test, google, google-test
# default: letsencrypt
#CA="zerossl"
#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
#CA="https://acme-v02.api.letsencrypt.org/directory"
CA="https://acme.zerossl.com/v2/DV90"
EAB_KID="aaaxxxc"
EAB_HMAC_KEY="eeetttbbb"
# Path to old certificate authority
# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
# instead of registering a new one.
# default: https://acme-v01.api.letsencrypt.org/directory
#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
# Which challenge should be used? Currently http-01, dns-01 and tls-alpn-01 are supported
CHALLENGETYPE="http-01"
# Path to a directory containing additional config files, allowing to override
# the defaults found in the main configuration file. Additional config files
# in this directory needs to be named with a '.sh' ending.
# default: <unset>
#CONFIG_D=
# Directory for per-domain configuration files.
# If not set, per-domain configurations are sourced from each certificates output directory.
# default: <unset>
#DOMAINS_D=
# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
BASEDIR=$SCRIPTDIR
#BASEDIR="/var/www/dehydrated"
# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
DOMAINS_TXT="${BASEDIR}/domains.txt"
# Output directory for generated certificates
CERTDIR="${BASEDIR}/certs-zerossl"
# Output directory for alpn verification certificates
#ALPNCERTDIR="${BASEDIR}/alpn-certs"
# Directory for account keys and registration information
ACCOUNTDIR="${BASEDIR}/accounts-zerossl"
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge"
#WELLKNOWN="/var/www/dehydrated"
# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"
# Path to openssl config file (default: <unset> - tries to figure out system default)
#OPENSSL_CNF=
# Path to OpenSSL binary (default: "openssl")
#OPENSSL="openssl"
# Extra options passed to the curl binary (default: <unset>)
#CURL_OPTS=
# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
#HOOK=/etc/dehydrated/hook-zerossl.sh
# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
#HOOK_CHAIN="no"
# Minimum days before expiration to automatically renew certificate (default: 32)
#RENEW_DAYS="32"
# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
#PRIVATE_KEY_RENEW="yes"
# Create an extra private key for rollover (default: no)
#PRIVATE_KEY_ROLLOVER="no"
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
#KEY_ALGO=secp384r1
# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL=dijemos@gmail.com
# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
LOCKFILE="${BASEDIR}/lock-zerossl"
# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
#OCSP_MUST_STAPLE="no"
# Fetch OCSP responses (default: no)
#OCSP_FETCH="no"
# OCSP refresh interval (default: 5 days)
#OCSP_DAYS=5
# Issuer chain cache directory (default: $BASEDIR/chains)
#CHAINCACHE="${BASEDIR}/chains"
# Automatic cleanup (default: no)
#AUTO_CLEANUP="no"
# Delete files during automatic cleanup instead of moving to archive (default: no)
#AUTO_CLEANUP_DELETE="no"
# ACME API version (default: auto)
#API=auto
# Preferred issuer chain (default: <unset> -> uses default chain)
#PREFERRED_CHAIN=
# Request certificate with specific profile (default: <unset>)
#ACME_PROFILE=
# Amount of seconds to wait for processing of order until erroring out (default: 0 => no timeout)
#ORDER_TIMEOUT=0
3. For Let's Encrypt
Copy paste code bellow to /etc/dehydrated/config-letsencrypt
Code: Select all
########################################################
# This is the main config file for dehydrated #
# #
# This file is looked for in the following locations: #
# $SCRIPTDIR/config (next to this script) #
# /usr/local/etc/dehydrated/config #
# /etc/dehydrated/config #
# ${PWD}/config (in current working-directory) #
# #
# Default values of this config are in comments #
########################################################
SCRIPTDIR="/etc/dehydrated"
# Which user should dehydrated run as? This will be implicitly enforced when running as root
#DEHYDRATED_USER=
# Which group should dehydrated run as? This will be implicitly enforced when running as root
#DEHYDRATED_GROUP=
# Resolve names to addresses of IP version only. (curl)
# supported values: 4, 6
# default: <unset>
#IP_VERSION=
# URL to certificate authority or internal preset
# Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test, google, google-test
# default: letsencrypt
#CA="letsencrypt"
#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
CA="https://acme-v02.api.letsencrypt.org/directory"
# Path to old certificate authority
# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
# instead of registering a new one.
# default: https://acme-v01.api.letsencrypt.org/directory
#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
# Which challenge should be used? Currently http-01, dns-01 and tls-alpn-01 are supported
CHALLENGETYPE="http-01"
# Path to a directory containing additional config files, allowing to override
# the defaults found in the main configuration file. Additional config files
# in this directory needs to be named with a '.sh' ending.
# default: <unset>
#CONFIG_D=
# Directory for per-domain configuration files.
# If not set, per-domain configurations are sourced from each certificates output directory.
# default: <unset>
#DOMAINS_D=
# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
BASEDIR=$SCRIPTDIR
#BASEDIR="/var/www/dehydrated"
# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
DOMAINS_TXT="${BASEDIR}/domains.txt"
# Output directory for generated certificates
CERTDIR="${BASEDIR}/certs-letsencrypt"
# Output directory for alpn verification certificates
#ALPNCERTDIR="${BASEDIR}/alpn-certs"
# Directory for account keys and registration information
ACCOUNTDIR="${BASEDIR}/accounts-letsencrypt"
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge"
#WELLKNOWN="/var/www/dehydrated"
# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"
# Path to openssl config file (default: <unset> - tries to figure out system default)
#OPENSSL_CNF=
# Path to OpenSSL binary (default: "openssl")
#OPENSSL="openssl"
# Extra options passed to the curl binary (default: <unset>)
#CURL_OPTS=
# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
#HOOK=/etc/dehydrated/hook-letsencrypt.sh
# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
#HOOK_CHAIN="no"
# Minimum days before expiration to automatically renew certificate (default: 32)
#RENEW_DAYS="32"
# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
#PRIVATE_KEY_RENEW="yes"
# Create an extra private key for rollover (default: no)
#PRIVATE_KEY_ROLLOVER="no"
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
#KEY_ALGO=secp384r1
# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL=dijemos@gmail.com
# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
LOCKFILE="${BASEDIR}/lock-letsencrypt"
# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
#OCSP_MUST_STAPLE="no"
# Fetch OCSP responses (default: no)
#OCSP_FETCH="no"
# OCSP refresh interval (default: 5 days)
#OCSP_DAYS=5
# Issuer chain cache directory (default: $BASEDIR/chains)
CHAINCACHE="${BASEDIR}/chains"
# Automatic cleanup (default: no)
#AUTO_CLEANUP="no"
# Delete files during automatic cleanup instead of moving to archive (default: no)
#AUTO_CLEANUP_DELETE="no"
# ACME API version (default: auto)
#API=auto
# Preferred issuer chain (default: <unset> -> uses default chain)
#PREFERRED_CHAIN=
# Request certificate with specific profile (default: <unset>)
#ACME_PROFILE=
# Amount of seconds to wait for processing of order until erroring out (default: 0 => no timeout)
#ORDER_TIMEOUT=0
Next steps 4, 5 are common for both ZeroSSL and Let's Encrypt
4. Add domains to /etc/dehydrated/domains.txt (e.g. foo.net and foo1.net for more add foo3.net etc and you have to add another <VirtualHost *:80> and <VirtualHost *:443> for each domain.)
5. Validation: ZeroSSL and Let's Encrypt require a validation file to be placed in your webroot (/var/www/htdocs/.well-known/acme-challenge/)
In /etc/dehydrated/config there is the line WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge"
This path has to be as it is and have to be accessed by apache, otherwise Zer0SSL and Let's Encrypt cannot validate and create certificates.
create it if does not exist
Code: Select all
sudo mkdir -p /var/www/htdocs/.well-known/acme-challenge
sudo chown apache:apache -R /var/www/htdocs/.well-knownCode: Select all
#Include /etc/httpd/extra/httpd-ssl.confEdit /etc/httpd/extra/httpd-vhosts.conf to be as bellow
Code: Select all
<VirtualHost *:80>
ServerAdmin webmaster@foo.net
DocumentRoot "/srv/httpd/htdocs"
ServerName foo.net
ErrorLog "/var/log/httpd/foo.net-error_log"
CustomLog "/var/log/httpd/foo.net-access_log" common
</VirtualHost>
Check if apache is running (ps ax |grep httpd)
6. For ZeroSSL
6.1 Register your account to ZeroSSL
Code: Select all
sudo /usr/bin/dehydrated -f /etc/dehydrated/config-zerossl --register --accept-termsCertificate files created in /etc/dehydrated/certs-zerossl/
Code: Select all
sudo /usr/bin/dehydrated -f /etc/dehydrated/config-zerossl -c7. For Let's Encrypt
7.1 Register your account to Let's Encrypt
Code: Select all
sudo /usr/bin//dehydrated -f /etc/dehydrated/config-letsencrypt --register --accept-termsCertificate files created in /etc/dehydrated/certs-letsencrypt/
Code: Select all
sudo /usr/bin/dehydrated -f /etc/dehydrated/config-letsencrypt -c8.1 Edit /etc/httpd/extra/httpd-vhosts.conf to be as bellow (Replace foo.net and foo1.net with your domains)
Code: Select all
# Virtual Hosts
#
# Required modules: mod_log_config
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
####
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
####
<VirtualHost *:80>
ServerAdmin webmaster@foo.net
DocumentRoot "/srv/httpd/htdocs/foo.net"
ServerName foo.net
ErrorLog "/var/log/httpd/foo.net-error_log"
CustomLog "/var/log/httpd/foo.net-access_log" common
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@foo1.net
DocumentRoot "/srv/httpd/htdocs/foo1.net"
ServerName foo1.net
ErrorLog "/var/log/httpd/foo1.net-error_log"
CustomLog "/var/log/httpd/foo1.net-access_log" common
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/srv/httpd/htdocs/foo.net"
ServerName foo.net:443
ServerAdmin webmaster@foo.net
ErrorLog "/var/log/httpd/foo.net-error_log"
TransferLog "/var/log/httpd/foo.net-access_log"
SSLEngine on
SSLCertificateFile /etc/dehydrated/certs-zerossl/foo.net/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs-zerossl/foo.net/privkey.pem
SSLCertificateChainFile /etc/dehydrated/certs-zerossl/foo.net/chain.pem
</VirtualHost>
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/srv/httpd/htdocs/foo1.net"
ServerName foo1.net:443
ServerAdmin webmaster@foo1.net
ErrorLog "/var/log/httpd/foo1.net-error_log"
TransferLog "/var/log/httpd/foo1.net-access_log"
SSLEngine on
SSLCertificateFile /etc/dehydrated/certs-zerossl/foo1.net/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs-zerossl/foo1.net/privkey.pem
SSLCertificateChainFile /etc/dehydrated/certs-zerossl/foo1.net/chain.pem
</VirtualHost>
Code: Select all
cat <<EOT > /etc/cron.weekly/dehydrated-zerossl
# Check for renewal of certificates once per week
/usr/bin/dehydrated -f /etc/dehydrated/config-zerossl -c >> /var/log/dehydrated-zerossl.log 2>&1
service restart httpd
EOTCode: Select all
sudo chmod +x /etc/cron.weekly/dehydrated-zerossl9.1 Edit /etc/httpd/extra/httpd-vhosts.conf to be as bellow (Replace foo.net and foo1.net with your domains)
Code: Select all
# Virtual Hosts
#
# Required modules: mod_log_config
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
####
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
####
<VirtualHost *:80>
ServerAdmin webmaster@foo.net
DocumentRoot "/srv/httpd/htdocs/foo.net"
ServerName foo.net
ErrorLog "/var/log/httpd/foo.net-error_log"
CustomLog "/var/log/httpd/foo.net-access_log" common
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@foo1.net
DocumentRoot "/srv/httpd/htdocs/foo1.net"
ServerName foo1.net
ErrorLog "/var/log/httpd/foo1.net-error_log"
CustomLog "/var/log/httpd/foo1.net-access_log" common
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/srv/httpd/htdocs/foo.net"
ServerName foo.net:443
ServerAdmin webmaster@foo.net
ErrorLog "/var/log/httpd/foo.net-error_log"
TransferLog "/var/log/httpd/foo.net-access_log"
SSLEngine on
SSLCertificateFile /etc/dehydrated/certs-letsencrypt/foo.net/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs-letsencrypt/foo.net/privkey.pem
SSLCertificateChainFile /etc/dehydrated/certs-letsencrypt/foo.net/chain.pem
</VirtualHost>
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/srv/httpd/htdocs/foo1.net"
ServerName foo1.net:443
ServerAdmin webmaster@foo1.net
ErrorLog "/var/log/httpd/foo1.net-error_log"
TransferLog "/var/log/httpd/foo1.net-access_log"
SSLEngine on
SSLCertificateFile /etc/dehydrated/certs-letsencrypt/foo1.net/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs-letsencrypt/foo1.net/privkey.pem
SSLCertificateChainFile /etc/dehydrated/certs-letsencrypt/foo1.net/chain.pem
</VirtualHost>
9.2 To automate renewals for Let's Encrypt add a cron job to check for renewal regularly.
Code: Select all
cat <<EOT > /etc/cron.weekly/dehydrated-letsencrypt
# Check for renewal of certificates once per week
/usr/bin/dehydrated -f /etc/dehydrated/config-letsencrypt -c >> /var/log/dehydrated-letsencrypt.log 2>&1
service restart httpd
EOTCode: Select all
sudo chmod +x /etc/cron.weekly/dehydrated-letsencryptCheck if apache is running (ps ax |grep httpd)
Browse https://foo.net and https://foo1.net to see it is working under ZeroSSL or Let's Encrypt
11. Run
Code: Select all
sudo /usr/bin/dehydrated -f /etc/dehydrated/config-zerossl -cCode: Select all
# INFO: Using main config file /etc/dehydrated/config-zerossl
Processing ariadni.noip.me
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till May 24 23:59:59 2026 GMT (Longer than 32 days). Skipping renew!
Processing slackel.ddns.net
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till May 24 23:59:59 2026 GMT (Longer than 32 days). Skipping rene12. Run
Code: Select all
sudo /usr/bin/dehydrated -f /etc/dehydrated/config-letsencrypt -cCode: Select all
# INFO: Using main config file /etc/dehydrated/config-letsencrypt
Processing ariadni.noip.me
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till May 24 11:07:14 2026 GMT (Longer than 32 days). Skipping renew!
Processing slackel.ddns.net
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till May 24 11:07:26 2026 GMT (Longer than 32 days). Skipping renew!
If you like to run your sites under ZeroSSL use certs-zerossl for both domains in /etc/httpd/extra/httpd-vhosts.conf and restart apache.
If you like to run your sites under Let's Encrypt use certs-letsencrypt for both domains in /etc/httpd/extra/httpd-vhosts.conf and restart apache.
If you like to run foo.net under ZeroSSL use certs-zerossl for foo.net in /etc/httpd/extra/httpd-vhosts.conf and restart apache.
If you like to run foo1.net under Let's Encrypt use certs-letsencrypt for foo1.net in /etc/httpd/extra/httpd-vhosts.conf and restart apache.