Provided by: dehydrated_0.7.0-3_all bug


       dehydrated - ACME client implemented as a shell-script


       dehydrated [command [argument]] [argument [argument]] ...


       A  client  for ACME-based Certificate Authorities, such as LetsEncrypt.  It can be used to
       request and obtain TLS certificates from an ACME-based certificate authority.

       Before any certificates can be requested, Dehydrated needs to acquire an account with  the
       Certificate Authorities. Optionally, an email address can be provided.  It will be used to
       e.g. notify about expiring certificates. You will usually need  to  accept  the  Terms  of
       Service  of  the  CA.   Dehydrated  will  notify  if  no  account  is configured. Run with
       --register --accept-terms to create a new account.

       Next, all domain names must be provided in domains.txt. The format is line based:  If  the
       file  contains  two  lines  ""  and  "", Dehydrated will request two
       certificate, one for "" and the other for "". A  single  line  while
       ""  will request a single certificate valid for both ""
       and "" through the Subject Alternative Name (SAN) field.

       For the next step, one way of verifying domain name  ownership  needs  to  be  configured.
       Dehydrated implements http-01 and dns-01 verification.

       The  http-01  verification  provides proof of ownership by providing a challenge token. In
       order to do that, the directory referenced in the WELLKNOWN config variable  needs  to  be
       exposed  at  http://{domain}/.well-known/acme-challenge/,  where  {domain} is every domain
       name specified in domains.txt.  Dehydrated does not provide its own  challenge  responder,
       but  relies on an existing web server to provide the challenge response.  See
       for configuration examples of popular web servers.

       The dns-01 verification works by  providing  a  challenge  token  through  DNS.   This  is
       especially  interesting  for hosts that cannot be exposed to the public Internet.  Because
       adding records to DNS zones is oftentimes highly specific  to  the  software  or  the  DNS
       provider  at  hand,  there  are many third party hooks available for dehydrated.  See dns- for hooks for popular DNS servers and DNS hosters.

       Finally, the certificates need to be requested and updated on a regular basis.   This  can
       happen  through  a  cron  job  or  a  timer.  Initially,  you may enforce this by invoking
       dehydrated -c manually.

       After a successful run, certificates are stored in  /etc/dehydrated/certs/{domain},  where
       {domain} is the domain name in the first column of domains.txt.



       --version, -v
              Print version information

              Register account key

              Update account contact information

       --cron, -c
              Sign/renew non-existent/changed/expiring certificates.

       --signcsr, -s path/to/csr.pem
              Sign a given CSR, output CRT on stdout (advanced usage)

       --revoke, -r path/to/cert.pem
              Revoke specified certificate

       --cleanup, -gc
              Move unused certificate files to archive directory

       --help, -h
              Show help text

       --env, -e
              Output configuration variables for use in other scripts


              Accept CAs terms of service

       --full-chain, -fc
              Print full chain when using --signcsr

       --ipv4, -4
              Resolve names to IPv4 addresses only

       --ipv6, -6
              Resolve names to IPv6 addresses only

       --domain, -d domain.tld
              Use specified domain name(s) instead of domains.txt entry (one certificate!)

       --keep-going, -g
              Keep   going   after   encountering   an  error  while  creating/renewing  multiple
              certificates in cron mode

       --force, -x
              Force renew of certificate even if it is longer valid than value in RENEW_DAYS

       --no-lock, -n
              Don't use lockfile (potentially dangerous!)

              Suffix lockfile name with a string (useful for use with -d)

       --ocsp Sets option in CSR indicating OCSP stapling to be mandatory

       --privkey, -p path/to/key.pem
              Use specified private key instead of account key (useful for revocation)

       --config, -f path/to/config
              Use specified config file

       --hook, -k path/to/
              Use specified script for hooks

       --out, -o certs/directory
              Output certificates into the specified directory

       --challenge, -t [http-01|dns-01]
              Which challenge should be used? Currently http-01 and dns-01 are supported

       --algo, -a [rsa|prime256v1|secp384r1]
              Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1


       The program exits 0 if everything was fine, 1 if an error occurred.


       Please  report  any  bugs   that   you   may   encounter   at   the   project   web   site


       Dehydrated  was  written  by  Lukas  Schauer.  This  man  page  was  contributed by Daniel


       Copyright 2015-2018 by Lukas Schauer and the respective contributors.  Provided under  the
       MIT  License.  See  the  LICENSE  file  that  accompanies  the  distribution for licensing


       Full documentation along with configuration examples are provided in the docs directory of
       the distribution, or at ⟨⟩.