Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
DEHYDRATED(1)		    General Commands Manual		 DEHYDRATED(1)

NAME
       dehydrated - ACME client	implemented as a shell-script

SYNOPSIS
       dehydrated [command [argument]] [argument [argument]] ...

DESCRIPTION
       A  client  for ACME-based Certificate Authorities, such as LetsEncrypt.
       It can be used to request and obtain TLS	 certificates  from  an	 ACME-
       based certificate authority.

       Before  any  certificates can be	requested, Dehydrated needs to acquire
       an account with the Certificate Authorities. Optionally,	an  email  ad-
       dress  can  be provided.	 It will be used to e.g. notify	about expiring
       certificates. You will usually need to accept the Terms of  Service  of
       the  CA.	  Dehydrated will notify if no account is configured. Run with
       --register --accept-terms to create a new account.

       Next, all domain	names must be provided in domains.txt. The  format  is
       line  based:  If	 the  file contains two	lines "example.com" and	"exam-
       ple.net", dehydrated will  request  two	certificate,  one  for	"exam-
       ple.com"	and the	other for "example.net". A single line containing "ex-
       ample.com example.net" will request a single certificate	valid for both
       "example.net"  and  "example.com"  through the Subject Alternative Name
       (SAN) field.

       For the next step, one way of verifying domain name ownership needs  to
       be configured.  Dehydrated implements http-01 and dns-01	verification.

       The  http-01  verification  provides  proof of ownership	by providing a
       challenge token.	In order to do that, the directory referenced  in  the
       WELLKNOWN config	variable needs to be exposed at	http://{domain}/.well-
       known/acme-challenge/, where {domain} is	every domain name specified in
       domains.txt.   Dehydrated does not provide its own challenge responder,
       but relies on an	existing web server to provide the challenge response.
       See wellknown.md	for configuration examples of popular web servers.

       The dns-01 verification works by	providing a  challenge	token  through
       DNS.   This  is especially interesting for hosts	that cannot be exposed
       to the public Internet.	Because	adding records to DNS zones is	often-
       times  highly  specific	to  the	 software or the DNS provider at hand,
       there are many third party hooks	available for  dehydrated.   See  dns-
       verification.md for hooks for popular DNS servers and DNS hosters.

       Finally,	the certificates need to be requested and updated on a regular
       basis.	This  can happen through a cron	job or a timer.	Initially, you
       may enforce this	by invoking dehydrated -c manually.

       After  a	 successful  run,  certificates	 are  stored   in   /etc/dehy-
       drated/certs/{domain},  where  {domain} is the domain name in the first
       column of domains.txt.

OPTIONS
       Commands

       --version, -v
	      Print version information

       --register
	      Register account key

       --account
	      Update account contact information

       --cron, -c
	      Sign/renew non-existent/changed/expiring certificates.

       --signcsr, -s path/to/csr.pem
	      Sign a given CSR,	output CRT on stdout (advanced usage)

       --revoke, -r path/to/cert.pem
	      Revoke specified certificate

       --cleanup, -gc
	      Move unused certificate files to archive directory

       --help, -h
	      Show help	text

       --env, -e
	      Output configuration variables for use in	other scripts

       Parameters

       --accept-terms
	      Accept CAs terms of service

       --full-chain, -fc
	      Print full chain when using --signcsr

       --ipv4, -4
	      Resolve names to IPv4 addresses only

       --ipv6, -6
	      Resolve names to IPv6 addresses only

       --domain, -d domain.tld
	      Use specified domain name(s) instead of domains.txt  entry  (one
	      certificate!)

       --keep-going, -g
	      Keep  going  after encountering an error while creating/renewing
	      multiple certificates in cron mode

       --force,	-x
	      Force certificate	renewal	even if	it is not due to expire	within
	      RENEW_DAYS

       --no-lock, -n
	      Don't use	lockfile (potentially dangerous!)

       --lock-suffix example.com
	      Suffix lockfile name with	a string (useful for use with -d)

       --ocsp Sets option in CSR indicating OCSP stapling to be	mandatory

       --privkey, -p path/to/key.pem
	      Use specified private key	instead	of account key (useful for re-
	      vocation)

       --config, -f path/to/config
	      Use specified config file

       --hook, -k path/to/hook.sh
	      Use specified script for hooks

       --out, -o certs/directory
	      Output certificates into the specified directory

       --challenge, -t [http-01|dns-01]
	      Which challenge should be	used? Currently	http-01	and dns-01 are
	      supported

       --algo, -a [rsa|prime256v1|secp384r1]
	      Which public key	algorithm  should  be  used?  Supported:  rsa,
	      prime256v1 and secp384r1

DIAGNOSTICS
       The program exits 0 if everything was fine, 1 if	an error occurred.

BUGS
       Please  report  any bugs	that you may encounter at the project web site
       <https://github.com/lukas2511/dehydrated/issues>.

AUTHOR
       Dehydrated was written by Lukas Schauer.	This man page was  contributed
       by Daniel Molkentin.

COPYRIGHT
       Copyright  2015-2018  by	Lukas Schauer and the respective contributors.
       Provided	under the MIT License. See the LICENSE file  that  accompanies
       the distribution	for licensing information.

SEE ALSO
       Full  documentation  along  with	configuration examples are provided in
       the    docs    directory	    of	   the	   distribution,     or	    at
       <https://github.com/lukas2511/dehydrated/tree/master/docs>.

Dehydrated ACME	Client		  2018-01-13			 DEHYDRATED(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=dehydrated&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help