starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Encountered an issue while getting dehydrated to work, wrote up a tutorial #189

New Issue
Closed
opened 2025-12-29 00:26:52 +01:00 by adam · 1 comment
adam commented 2025-12-29 00:26:52 +01:00
Owner
Copy Link

Originally created by @blha303 on GitHub (Jan 28, 2017).

Maybe this can go in the wiki or something once it's been tested by someone with a different setup.

As I was setting up dehydrated, somehow I missed that WELLKNOWN was supposed to be a path to .well-known/acme-challenge. I was trying to figure out where the hell it was writing the challenge files to, turns out they're strewn around my web root. Given that there's no list of commands someone in my situation (using Ubuntu Server, been generating LE certs semi-manually for a while, looking for a script that just puts the files in .well-known and doesn't try to do anything automagically with the web server) can follow, I summarised the commands I used and my web server config if you too want an A+ rank on ssllabs. I made a couple changes for the sake of being a proper tutorial, if you've already got a <VirtualHost *:443> block you should just edit the filenames if necessary.

  • git clone https://github.com/lukas2511/dehydrated
  • cd dehydrated
  • vim config
# Switch these when you successfully generate a certificate.
#CA="https://acme-v01.api.letsencrypt.org/directory"
CA="https://acme-staging.api.letsencrypt.org/directory"

WELLKNOWN="/var/www/html/.well-known/acme-challenge"

CONTACT_EMAIL=email@addr
  • vim domains.txt
example.com
  • ./dehydrated -c
# INFO: Using main config file /path/to/dehydrated/config
Processing example.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for example.com...
 + Responding to challenge for example.com...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
  • a2enmod ssl
  • cd /etc/apache2
  • sudo ln -s /path/to/dehydrated/certs/example.com/fullchain.pem example.com.pem
  • sudo ln -s /path/to/dehydrated/certs/example.com/privkey.pem example.com.key
  • vim sites-available/example.com.conf
<VirtualHost *:80>
...
</VirtualHost>

<VirtualHost *:443>
        DocumentRoot /var/www/html
        ServerName example.com
        SSLEngine on
        SSLCertificateFile /etc/apache2/example.com.pem
        SSLCertificateKeyFile /etc/apache2/example.com.key
        <Location />
                Require all granted
        </Location>
</VirtualHost>
  • vim ports.conf
Listen 80

<IfModule ssl_module>
        Listen 443
        SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder On
# For A+ ssllabs rating, forces you to use ssl in the future, uncomment with caution
# If this is left commented, the highest rank you'll be able to get is A
#        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff
        SSLCompression off
        SSLUseStapling on
        SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
</IfModule>
  • sudo service apache2 reload
Originally created by @blha303 on GitHub (Jan 28, 2017). Maybe this can go in the wiki or something once it's been tested by someone with a different setup. As I was setting up dehydrated, somehow I missed that WELLKNOWN was supposed to be a path to .well-known/acme-challenge. I was trying to figure out where the hell it was writing the challenge files to, turns out they're strewn around my web root. Given that there's no list of commands someone in my situation (using Ubuntu Server, been generating LE certs [semi-manually](https://gethttpsforfree.com) for a while, looking for a script that just puts the files in .well-known and doesn't try to do anything automagically with the web server) can follow, I summarised the commands I used and my web server config if you too want an A+ rank on ssllabs. I made a couple changes for the sake of being a proper tutorial, if you've already got a `<VirtualHost *:443>` block you should just edit the filenames if necessary. ----- * `git clone https://github.com/lukas2511/dehydrated` * `cd dehydrated` * `vim config` ``` # Switch these when you successfully generate a certificate. #CA="https://acme-v01.api.letsencrypt.org/directory" CA="https://acme-staging.api.letsencrypt.org/directory" WELLKNOWN="/var/www/html/.well-known/acme-challenge" CONTACT_EMAIL=email@addr ``` * `vim domains.txt` ``` example.com ``` * `./dehydrated -c` ``` # INFO: Using main config file /path/to/dehydrated/config Processing example.com + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for example.com... + Responding to challenge for example.com... + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done! ``` * `a2enmod ssl` * `cd /etc/apache2` * `sudo ln -s /path/to/dehydrated/certs/example.com/fullchain.pem example.com.pem` * `sudo ln -s /path/to/dehydrated/certs/example.com/privkey.pem example.com.key` * `vim sites-available/example.com.conf` ``` <VirtualHost *:80> ... </VirtualHost> <VirtualHost *:443> DocumentRoot /var/www/html ServerName example.com SSLEngine on SSLCertificateFile /etc/apache2/example.com.pem SSLCertificateKeyFile /etc/apache2/example.com.key <Location /> Require all granted </Location> </VirtualHost> ``` * `vim ports.conf` ``` Listen 80 <IfModule ssl_module> Listen 443 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On # For A+ ssllabs rating, forces you to use ssl in the future, uncomment with caution # If this is left commented, the highest rank you'll be able to get is A # Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" </IfModule> ``` * `sudo service apache2 reload`
adam closed this issue 2025-12-29 00:26:52 +01:00
adam commented 2025-12-29 00:26:54 +01:00
Author
Owner
Copy Link

@blha303 commented on GitHub (Jan 28, 2017):

It's not an issue really, I didn't want to make a wiki page without checking with the repo owner.

@blha303 commented on GitHub (Jan 28, 2017): It's not an issue really, I didn't want to make a wiki page without checking with the repo owner.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#189
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?