# Automated Letsencrypt Certs with Dehydrated on Devuan/Debian

I read ratfactor's excellent guide to setting up dehydrated on
slackware with Letsencrypt [0], and did something similar to setup
automated certificate renewal on my Devuan server. I use Apache with
GnuTLS, but below I also provide the config directives for OpenSSL.

[0]: http://ratfactor.com/slackware/dehydrated

As expected, there is much less manual config needed on Devuan (or
Debian), for example the apache config can be done with a simple
package install, and the default dehydrated config will work fine
for most uses (it worked fine for my purposes).

## Install

    apt-get install dehydrated dehydrated-apache2

The latter package installs and enables the needed config for the
http-01 challenges, in /etc/apache2/conf-enabled/dehydrated.conf.

## Domains

Create and edit domains.txt in /etc/dehydrated. Each line represents
a certificate, so put your domain names on separate lines. For SAN
certs with multiple hostnames, separate the hostnames by spaces on
the same line.

For example, here is a domains.txt for two certs, the second with
multiple names:

    www.example.com
    www.bar.com bar.com blog.bar.com

## Initialise and test

    dehydrated --register --accept-terms
    dehydrated -c

Fix any errors you see, then once everything is working, update the
apache config in the relevant vhosts to use the newly created certs,
and restart or reload apache.

## Apache Certificate Config Directives

For GnuTLS:

    GnuTLSEnable on
    GnuTLSCertificateFile  /var/lib/dehydrated/certs/www.example.com/fullchain.pem
    GnuTLSKeyFile /var/lib/dehydrated/certs/www.example.com/privkey.pem
    GnuTLSClientCAFile  /var/lib/dehydrated/certs/www.example.com/chain.pem

For OpenSSL:

    SSLEngine on
    SSLCertificateFile    /var/lib/dehydrated/certs/www.example.com/fullchain.pem
    SSLCertificateKeyFile /var/lib/dehydrated/certs/www.example.com/privkey.pem
    SSLCertificateChainFile /var/lib/dehydrated/certs/www.example.com/chain.pem

## Automation

Create the log file with appropriate permissions:

    touch /var/log/dehydrated && \
    chown root:adm /var/log/dehydrated && \
    chmod 640 /var/log/dehydrated

Create and activate the weekly cron script:

    root@nix2:/etc/cron.weekly# cat > dehydrated
    #!/bin/sh
    MYLOG=/var/log/dehydrated
    echo "Checking cert renewals at `date`" >> $MYLOG
    /usr/bin/dehydrated -c >> $MYLOG 2>&1
    /etc/init.d/apache2 reload
    ^D

    chmod 755 /etc/cron.weekly/dehydrated