========================
dehydrated Configuration
========================

dehydrated
==========

In order for dehydrated to work, port 80 needs to be accessible from the internet.

General Settings
----------------

.. code-block:: bash

   cat > "/etc/dehydrated/conf.d/local.sh" << EOF
   CA="https://acme-v02.api.letsencrypt.org/directory"
   CHALLENGETYPE="http-01"
   KEYSIZE="4096"
   PRIVATE_KEY_RENEW="yes"
   PRIVATE_KEY_ROLLOVER="yes"
   KEY_ALGO="rsa"
   CONTACT_EMAIL="${ROOT_EMAIL}"
   OCSP_MUST_STAPLE="yes"
   EOF

   make sure to replace ${ROOT_EMAIL} with a proper email address.

Domain Settings
---------------

.. code-block:: bash

   cat > "/etc/dehydrated/domains.txt" << EOF
   $(hostname -f) $(hostname)
   EOF

Cron
----

.. code-block:: bash

   cat > "/etc/cron.d/dehydrated" << EOF
   0 0      * *   root  test -x /usr/bin/dehydrated && dehydrated --cron --hook /usr/local/bin/hpkp.sh && dehydrated --cleanup && rm -rf /var/lib/dehydrated/archive/*
   @reboot  * *   root  test -x /usr/bin/dehydrated && dehydrated --cron --hook /usr/local/bin/hpkp.sh && dehydrated --cleanup && rm -rf /var/lib/dehydrated/archive/*
   EOF