Certs_Dehydraded Config - SomethingWithHorizons/mailserver GitHub Wiki
Configure dehydrated to create and maintain wildcard certificates for the mailserver and proxyserver to use.
-
Create a directory to be used as Dehydrated's default:
mkdir /etc/dehydrated
-
Download THE DEFAULT lexicon implementation hook file USED FOR DNS API communication:
curl https://raw.githubusercontent.com/AnalogJ/lexicon/master/examples/dehydrated.default.sh -o /etc/dehydrated/lexicon_hooks.reference.sh
-
Copy the default hook file and take ownership of the copy to enable specific DNS registrar (e.g.
transip) API configuration:cp /etc/dehydrated/lexicon_hooks.reference.sh /etc/dehydrated/lexicon_hooks.<specific-DNS-registar>.sh chmod u+x /etc/dehydrated/lexicon_hooks.<specific-DNS-registar>.sh
â ī¸ Replace<specific-dns-registar>with the name of your specific DNS registar. -
Obtain the specific API credentials required by your specific DNS registrar:
â ī¸ The method of obtaining the rsa key differs per DNS registrar.E.g. for TransIP:
- Visit API key,
- Generate the key,
- Label the key,
- Check
â Whitelisted IP, - Provide your IP address.
- Store it as
/tmp/transip-api.key - Convert the file to the dehydrated required RSA format:
openssl rsa -in /tmp/transip-api.key -out /etc/dehydrated/transip-rsa.key
-
Edit
/etc/dehydrated/lexicon_hooks.<specific-DNS-registar>.shto configure your specific DNS registrar's API settings.â ī¸ Replace<specific-dns-registar>with the name of your specific DNS registar.â ī¸ Refer to your DNS provider for their specifics.E.g. (for TransIP):
Configure login-credentials and timeout to comply with Transip requirements.
set -e set -u set -o pipefail - export PROVIDER=${PROVIDER:-"cloudflare"} + export PROVIDER="transip" + export LEXICON_TRANSIP_USERNAME="<username>" + export LEXICON_TRANSIP_API_KEY="/etc/dehydrated/transip-rsa.key" lexicon $PROVIDER create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}" - sleep 30 + sleep 300
â ī¸ Replace<username>with your TransIP username. -
Create a new default config in
/etc/dehydrated/config(using the staging API for testing):+ # Defining the API endpoint + CA="https://acme-staging-v02.api.letsencrypt.org/directory" + + # Use the new (recommended) DNS-01 challenge implementation (has wildcard supported). + CHALLENGETYPE="dns-01" + + # Tell dehydrated to use the lexicon implementation for automatically managing DNS records + HOOK="/etc/dehydrated/lexicon_hooks.<specific-DNS-registar>.sh"
â ī¸ Replace<specific-dns-registar>with the name of your specific DNS registar. -
Create a list of domains you want request SSL certificates in
/etc/dehydrated/domains.txt+ example.org *.example.orgâ ī¸ Replaceexample.orgwith your domains (add a newline per domain) -
Register to the staging API of Letsencrypt:
/usr/local/bin/dehydrated --register --accept-terms
-
Run the dehydrated script to see if the dehydrated is set up correctly:
PATH=$PATH:/usr/local/bin dehydrated --cronâ ī¸ This command will take some time due to the time out on DNS changes.âšī¸ Correct operation will return
+ Done! -
Edit
/etc/dehydrated/configto use the production API:# Defining the API endpoint - CA="https://acme-staging-v02.api.letsencrypt.org/directory" + CA="https://acme-v02.api.letsencrypt.org/directory"
-
Register to the production API of Letsencrypt:
/usr/local/bin/dehydrated --register --accept-terms
-
Rerun the dehydrated script to get the wildcard certificates from the production API of Letsencrypt:
PATH=$PATH:/usr/local/bin dehydrated --cron --forceâ ī¸ This command will take some time due to the time out on DNS changes. -
Configure crontab for automatic renewal of the certificates by issuing
crontab -e;+ @daily bash /usr/local/bin/dehydrated --cron