In order for dehydrated to work, port 80 needs to be accessible from the internet.
cat > "/etc/dehydrated/conf.d/local.sh" << EOF
CA="https://acme-v02.api.letsencrypt.org/directory"
CHALLENGETYPE="http-01"
KEYSIZE="4096"
PRIVATE_KEY_RENEW="yes"
PRIVATE_KEY_ROLLOVER="yes"
KEY_ALGO="rsa"
CONTACT_EMAIL="${ROOT_EMAIL}"
OCSP_MUST_STAPLE="yes"
EOF
make sure to replace ${ROOT_EMAIL} with a proper email address.
cat > "/etc/dehydrated/domains.txt" << EOF
$(hostname -f) $(hostname)
EOF
cat > "/etc/cron.d/dehydrated" << EOF
0 0 * * root test -x /usr/bin/dehydrated && dehydrated --cron --hook /usr/local/bin/hpkp.sh && dehydrated --cleanup && rm -rf /var/lib/dehydrated/archive/*
@reboot * * root test -x /usr/bin/dehydrated && dehydrated --cron --hook /usr/local/bin/hpkp.sh && dehydrated --cleanup && rm -rf /var/lib/dehydrated/archive/*
EOF