Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
DEHYDRATED(1)		    General Commands Manual		 DEHYDRATED(1)

       dehydrated - ACME client	implemented as a shell-script

       dehydrated [command [argument]] [argument [argument]] ...

       A  client  for ACME-based Certificate Authorities, such as LetsEncrypt.
       It can be used to request and obtain TLS	 certificates  from  an	 ACME-
       based certificate authority.

       Before  any  certificates can be	requested, Dehydrated needs to acquire
       an account with the Certificate Authorities. Optionally,	an  email  ad-
       dress  can  be provided.	 It will be used to e.g. notify	about expiring
       certificates. You will usually need to accept the Terms of  Service  of
       the  CA.	  Dehydrated will notify if no account is configured. Run with
       --register --accept-terms to create a new account.

       Next, all domain	names must be provided in domains.txt. The  format  is
       line  based:  If	 the  file contains two	lines "" and	"exam-", Dehydrated will  request  two	certificate,  one  for	"exam-"	 and  the  other for "". A single line while	"exam-" will request a single certificate valid  for  both
       ""  and  ""  through the Subject Alternative Name
       (SAN) field.

       For the next step, one way of verifying domain name ownership needs  to
       be configured.  Dehydrated implements http-01 and dns-01	verification.

       The  http-01  verification  provides  proof of ownership	by providing a
       challenge token.	In order to do that, the directory referenced  in  the
       WELLKNOWN config	variable needs to be exposed at	http://{domain}/.well-
       known/acme-challenge/, where {domain} is	every domain name specified in
       domains.txt.   Dehydrated does not provide its own challenge responder,
       but relies on an	existing web server to provide the challenge response.
       See	for configuration examples of popular web servers.

       The  dns-01  verification  works	by providing a challenge token through
       DNS.  This is especially	interesting for	hosts that cannot  be  exposed
       to  the public Internet.	 Because adding	records	to DNS zones is	often-
       times highly specific to	the software or	 the  DNS  provider  at	 hand,
       there  are  many	 third party hooks available for dehydrated.  See dns- for hooks for popular DNS servers and DNS hosters.

       Finally,	the certificates need to be requested and updated on a regular
       basis.	This  can happen through a cron	job or a timer.	Initially, you
       may enforce this	by invoking dehydrated -c manually.

       After  a	 successful  run,  certificates	 are  stored   in   /etc/dehy-
       drated/certs/{domain},  where  {domain} is the domain name in the first
       column of domains.txt.


       --version, -v
	      Print version information

	      Register account key

	      Update account contact information

       --cron, -c
	      Sign/renew non-existent/changed/expiring certificates.

       --signcsr, -s path/to/csr.pem
	      Sign a given CSR,	output CRT on stdout (advanced usage)

       --revoke, -r path/to/cert.pem
	      Revoke specified certificate

       --cleanup, -gc
	      Move unused certificate files to archive directory

       --help, -h
	      Show help	text

       --env, -e
	      Output configuration variables for use in	other scripts


	      Accept CAs terms of service

       --full-chain, -fc
	      Print full chain when using --signcsr

       --ipv4, -4
	      Resolve names to IPv4 addresses only

       --ipv6, -6
	      Resolve names to IPv6 addresses only

       --domain, -d domain.tld
	      Use specified domain name(s) instead of domains.txt  entry  (one

       --keep-going, -g
	      Keep  going  after encountering an error while creating/renewing
	      multiple certificates in cron mode

       --force,	-x
	      Force renew of certificate even if it is longer valid than value
	      in RENEW_DAYS

       --no-lock, -n
	      Don't use	lockfile (potentially dangerous!)

	      Suffix lockfile name with	a string (useful for use with -d)

       --ocsp Sets option in CSR indicating OCSP stapling to be	mandatory

       --privkey, -p path/to/key.pem
	      Use specified private key	instead	of account key (useful for re-

       --config, -f path/to/config
	      Use specified config file

       --hook, -k path/to/
	      Use specified script for hooks

       --out, -o certs/directory
	      Output certificates into the specified directory

       --challenge, -t [http-01|dns-01]
	      Which challenge should be	used? Currently	http-01	and dns-01 are

       --algo, -a [rsa|prime256v1|secp384r1]
	      Which  public  key  algorithm  should  be	 used? Supported: rsa,
	      prime256v1 and secp384r1

       The program exits 0 if everything was fine, 1 if	an error occurred.

       Please report any bugs that you may encounter at	the project  web  site

       Dehydrated  was written by Lukas	Schauer. This man page was contributed
       by Daniel Molkentin.

       Copyright 2015-2018 by Lukas Schauer and	the  respective	 contributors.
       Provided	 under	the MIT	License. See the LICENSE file that accompanies
       the distribution	for licensing information.

       Full documentation along	with configuration examples  are  provided  in
       the     docs	directory     of     the     distribution,    or    at

Dehydrated ACME	Client		  2018-01-13			 DEHYDRATED(1)


Want to link to this manual page? Use this URL:

home | help