Jon's Wiki Letsencrypt


From Jon's Wiki

It's easy in Ubuntu 20.04 using dehydrated.

Install the things

First install the nifty dehydrated utility[1]:

apt install dehydrated

Set up the site's handshake

You can use the dehydrated script to use the ACME HTTP challenge method. It talks to the Letsencrypt CA and temporarily drops tokens in /var/lib/dehydrated/acme-challenges for your site to host for the handshake, deleting them afterwards. So make sure the HTTP side of your site can facilitate the handshake by using a known URL alias without redirecting it to HTTPS. In Apache, you need something like:

<VirtualHost *:80>
  Alias "/.well-known/acme-challenge/" "/var/lib/dehydrated/acme-challenges/"
  RewriteEngine On
  RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).*$0

Or the same thing in nginx:

server {
  listen 80;
  location /.well-known/acme-challenge/ {
    alias /var/lib/dehydrated/acme-challenges/;
  location / {
    return 301 https://$host$request_uri; 

Fetch your certificates

Then run the following command. Once you've proven it works, bung it in /etc/cron.d/letsencrypt-renew to run every so often (Letsencrypt certificates expire in 3 months).

/usr/bin/dehydrated -c --domain --challenge http-01

Set up your HTTPS site

Now you can enable the HTTPS side of your site with the shiny new certificates the Letsencrypt CA generated for you.

<VirtualHost *:443>
  SSLEngine On
  SSLCertificateFile /var/lib/dehydrated/certs/
  SSLCertificateKeyFile /var/lib/dehydrated/certs/
  Header always set Strict-Transport-Security "max-age=63072000"

More or less the same thing in nginx:

server {
  listen        *:443 ssl;
  ssl  on;
  ssl_certificate     /var/lib/dehydrated/certs/;
  ssl_certificate_key /var/lib/dehydrated/certs/;
  ssl_trusted_certificate /var/lib/dehydrated/certs/;
  add_header Strict-Transport-Security max-age=63072000;

In addition, you probably want to lock down the SSL nicely. Best to refer to the Mozilla SSL config generator for the most up-to-date configuration, and put this in a separate common config file that you can include where needed.

Run a script from cron

Edit the config file:

# Contents of /etc/dehydrated/config

Then make a script to run from a cron job:

# Script: /usr/local/bin/letsencrypt-renew
# Renew site SSL certificates with LetsEncrypt using dehydrated.
# See: 
for domain in                   \         \     \         \
; do
    dehydrated -c --domain $domain
    sleep 2

And a cron job like this:

# Contents of /etc/cron.d/letsencrypt-renew
# Attempt SSL certificate renewals with dehydrated weekly
22 22 * * 2 root /usr/local/bin/letsencrypt-renew > /var/log/letsencrypt-renew.log 2> /var/log/letsencrypt-renew.err


  1. If you don't have Ubuntu 20.04, use
    git clone /opt/dehydrated
    ln -s /opt/dehydrated/dehydrated /usr/local/bin/