Dehydrated

Dehydrated is a shell-script ACME client that automates the lifecycle of TLS certificates from certificate authorities like Let's Encrypt. It implements the ACME protocol entirely in POSIX shell script with no external dependencies beyond standard Unix tools, relying on OpenSSL for all cryptographic operations including key generation, signing, and certificate parsing.

The tool manages account keys, certificates, and configuration as plain files on disk, maintaining certificate metadata and account status in simple text files without a database. It delegates domain validation challenges to user-defined shell hooks, supporting http-01, dns-01, and tls-alpn-01 challenge types for flexible deployment. Certificate renewals are processed sequentially in a linear loop, checking expiration dates and domain lists before re-issuing.

Dehydrated handles the full certificate lifecycle including account registration and deactivation, certificate signing and renewal, domain ownership validation, certificate revocation, and wildcard certificate management. It can sign provided certificate signing requests either standalone or through automated hooks. The documentation covers installation, configuration, and usage for obtaining and managing free TLS certificates from ACME-compliant certificate authorities.

Features

ACME Certificate Provisioners - Automating the lifecycle of TLS certificates from ACME certificate authorities, including signing, renewal, and revocation.

ACME Clients - A shell script that automates certificate signing and renewal with ACME certificate authorities using Let's Encrypt and similar services.

Shell Script ACME Clients - An ACME client that supports obtaining and renewing wildcard TLS certificates for multiple domains.

ACME Certificate Lifecycle Managers - A tool that automates the lifecycle of X.509 certificates including signing, renewal, and revocation.

ACME Account Registrations - Register an ACME account key, update contact information, or deactivate the account with the certificate authority server.

File-Based Configuration - Stores account keys, certificates, and configuration as plain files on disk for simple management and inspection.

OpenSSL-Based Clients - Relies on the OpenSSL command-line tool for all cryptographic operations including key generation, signing, and certificate parsing.

Certificate Renewal Managers - Automatically checking certificate expiration dates and renewing certificates before they expire.

ACME CSR Signers - Sign a provided certificate signing request file and output the resulting certificate, usable standalone or with automated hooks.

Domain Validation Protocols - Proving control over domains through HTTP, DNS, or TLS challenges before certificate issuance.

DNS and HTTP Challenges - Prove domain control using http-01, dns-01, or tls-alpn-01 challenges before the certificate authority issues a certificate.

Hook-Based Challenge Delegations - Delegates domain validation challenges to user-defined shell hooks for flexible http-01, dns-01, or tls-alpn-01 handling.

ACME Certificate Clients - Obtaining and managing free TLS certificates from Let's Encrypt using the ACME protocol for web servers and services.

Wildcard Certificate Management - Requesting and renewing wildcard TLS certificates that cover multiple subdomains under a single domain.

Certificate State Trackers - Maintains certificate metadata and account status in simple text files without a database or structured storage format.

Certificate Revocations - Revoke a specified certificate through the ACME server when it is no longer needed or has been compromised.

Sequential Renewal Loops - Processes certificate renewals one at a time in a linear loop, checking expiration dates and domain lists before re-issuing.

dehydrated-iodehydrated

Features

Star history