1DEHYDRATED(1) General Commands Manual DEHYDRATED(1)
2
6 dehydrated - ACME client implemented as a shell-script
7
9 dehydrated [command [argument]] [argument [argument]] ...
10
12 A client for ACME-based Certificate Authorities, such as LetsEncrypt.
13 It can be used to request and obtain TLS certificates from an ACME-
14 based certificate authority.
15 Before any certificates can be requested, Dehydrated needs to acquire
17 an account with the Certificate Authorities. Optionally, an email
18 address can be provided. It will be used to e.g. notify about expiring
19 certificates. You will usually need to accept the Terms of Service of
20 the CA. Dehydrated will notify if no account is configured. Run with
21 --register --accept-terms to create a new account.
22 Next, all domain names must be provided in domains.txt. The format is
24 line based: If the file contains two lines "example.com" and "exam‐
25 ple.net", Dehydrated will request two certificate, one for "exam‐
26 ple.com" and the other for "example.net". A single line while "exam‐
27 ple.com example.net" will request a single certificate valid for both
28 "example.net" and "example.com" through the Subject Alternative Name
29 (SAN) field.
30 For the next step, one way of verifying domain name ownership needs to
32 be configured. Dehydrated implements http-01 and dns-01 verification.
33 The http-01 verification provides proof of ownership by providing a
35 challenge token. In order to do that, the directory referenced in the
36 WELLKNOWN config variable needs to be exposed at http://{domain}/.well-
37 known/acme-challenge/, where {domain} is every domain name specified in
38 domains.txt. Dehydrated does not provide its own challenge responder,
39 but relies on an existing web server to provide the challenge response.
40 See wellknown.md for configuration examples of popular web servers.
41 The dns-01 verification works by providing a challenge token through
43 DNS. This is especially interesting for hosts that cannot be exposed
44 to the public Internet. Because adding records to DNS zones is often‐
45 times highly specific to the software or the DNS provider at hand,
46 there are many third party hooks available for dehydrated. See dns-
47 verification.md for hooks for popular DNS servers and DNS hosters.
48 Finally, the certificates need to be requested and updated on a regular
50 basis. This can happen through a cron job or a timer. Initially, you
51 may enforce this by invoking dehydrated -c manually.
52 After a successful run, certificates are stored in /etc/dehy‐
54 drated/certs/{domain}, where {domain} is the domain name in the first
55 column of domains.txt.
56
59 Commands
60 --version, -v
62 Print version information
63 --register
65 Register account key
66 --account
68 Update account contact information
69 --cron, -c
71 Sign/renew non-existent/changed/expiring certificates.
72 --signcsr, -s path/to/csr.pem
74 Sign a given CSR, output CRT on stdout (advanced usage)
75 --revoke, -r path/to/cert.pem
77 Revoke specified certificate
78 --cleanup, -gc
80 Move unused certificate files to archive directory
81 --help, -h
83 Show help text
84 --env, -e
86 Output configuration variables for use in other scripts
87 Parameters
90 --accept-terms
92 Accept CAs terms of service
93 --full-chain, -fc
95 Print full chain when using --signcsr
96 --ipv4, -4
98 Resolve names to IPv4 addresses only
99 --ipv6, -6
101 Resolve names to IPv6 addresses only
102 --domain, -d domain.tld
104 Use specified domain name(s) instead of domains.txt entry (one
105 certificate!)
106 --keep-going, -g
108 Keep going after encountering an error while creating/renewing
109 multiple certificates in cron mode
110 --force, -x
112 Force renew of certificate even if it is longer valid than value
113 in RENEW_DAYS
114 --no-lock, -n
116 Don't use lockfile (potentially dangerous!)
117 --lock-suffix example.com
119 Suffix lockfile name with a string (useful for use with -d)
120 --ocsp Sets option in CSR indicating OCSP stapling to be mandatory
122 --privkey, -p path/to/key.pem
124 Use specified private key instead of account key (useful for
125 revocation)
126 --config, -f path/to/config
128 Use specified config file
129 --hook, -k path/to/hook.sh
131 Use specified script for hooks
132 --out, -o certs/directory
134 Output certificates into the specified directory
135 --challenge, -t [http-01|dns-01]
137 Which challenge should be used? Currently http-01 and dns-01 are
138 supported
139 --algo, -a [rsa|prime256v1|secp384r1]
141 Which public key algorithm should be used? Supported: rsa,
142 prime256v1 and secp384r1
143
145 The program exits 0 if everything was fine, 1 if an error occurred.
146
148 Please report any bugs that you may encounter at the project web site
149 ⟨https://github.com/lukas2511/dehydrated/issues⟩.
150
152 Dehydrated was written by Lukas Schauer. This man page was contributed
153 by Daniel Molkentin.
154
156 Copyright 2015-2018 by Lukas Schauer and the respective contributors.
157 Provided under the MIT License. See the LICENSE file that accompanies
158 the distribution for licensing information.
159
161 Full documentation along with configuration examples are provided in
162 the docs directory of the distribution, or at
163 ⟨https://github.com/lukas2511/dehydrated/tree/master/docs⟩.
164Dehydrated ACME Client 2018-01-13 DEHYDRATED(1)