Convert Figma logo to code with AI

dehydrated-io logodehydrated

letsencrypt/acme client implemented as a shell-script – just add water

5,956
716
5,956
64
View on GitHub

Top Related Projects

acmesh-official's avatar

acme.sh

38,464

A pure Unix shell script implementing ACME client protocol

certbot's avatar

certbot

31,293

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

dehydrated-io's avatar

dehydrated

5,956

letsencrypt/acme client implemented as a shell-script – just add water

diafygi's avatar

acme-tiny

4,725

A tiny script to issue and renew TLS certs from Let's Encrypt

Quick Overview

Dehydrated is a lightweight, shell-based ACME client for obtaining and renewing SSL/TLS certificates from Let's Encrypt or other ACME-compliant Certificate Authorities. It's designed to be simple, modular, and easily integrated into existing server setups.

Pros

  • Lightweight and minimal dependencies (only requires basic shell utilities)
  • Highly flexible and customizable through hooks and configuration options
  • Supports both single-domain and wildcard certificates
  • Compatible with various web servers and ACME-compliant CAs

Cons

  • Requires more manual configuration compared to some GUI-based alternatives
  • Limited built-in support for advanced features (e.g., automatic server configuration)
  • May require additional scripting for complex setups or integrations
  • Documentation can be sparse for some advanced use cases

Getting Started

  1. Clone the repository:

    git clone https://github.com/dehydrated-io/dehydrated.git
cd dehydrated

  2. Create a domains.txt file with your domain(s):

    echo "example.com" > domains.txt

  3. Run dehydrated in debug mode to test:

    ./dehydrated --register --accept-terms --debug

  4. Once successful, set up a cron job to run dehydrated periodically:

    0 0 1 * * /path/to/dehydrated/dehydrated -c

  5. Configure your web server to use the generated certificates (typically found in /etc/dehydrated/certs/).

Competitor Comparisons

acmesh-official logo

acme.sh

38,464

A pure Unix shell script implementing ACME client protocol

Pros of acme.sh

  • Written in pure shell script, making it more portable and lightweight
  • Supports a wider range of DNS providers for DNS-01 challenges
  • Includes automatic renewal and installation of certificates

Cons of acme.sh

  • Less extensive documentation compared to dehydrated
  • May require more manual configuration for complex setups
  • Slightly steeper learning curve for beginners

Code Comparison

acme.sh:

acme.sh --issue -d example.com -w /var/www/html
acme.sh --install-cert -d example.com \
  --key-file       /path/to/keyfile/in/nginx/key.pem  \
  --fullchain-file /path/to/fullchain/nginx/cert.pem \
  --reloadcmd     "service nginx force-reload"

dehydrated:

./dehydrated -c -d example.com
cat /etc/dehydrated/config
WELLKNOWN="/var/www/dehydrated"
HOOK="/etc/dehydrated/hook.sh"

Both tools are excellent choices for obtaining and managing Let's Encrypt certificates. acme.sh offers more flexibility and features, while dehydrated provides a simpler, more straightforward approach. The choice between them depends on specific requirements and user preferences.

certbot logo

certbot

31,293

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

Pros of Certbot

  • More comprehensive and feature-rich, offering a wider range of plugins and integrations
  • Provides an interactive CLI and automatic configuration for popular web servers
  • Officially recommended by Let's Encrypt and has a larger community support

Cons of Certbot

  • Heavier and more complex, requiring more dependencies and system resources
  • Can be overwhelming for users who need only basic certificate management
  • May have a steeper learning curve for those unfamiliar with its extensive options

Code Comparison

Certbot (Python):

def obtain_cert(domains, certname, webroot_map):
    """Obtain a new certificate."""
    cert_path = os.path.join(config.cert_path, certname + '.pem')
    chain_path = os.path.join(config.cert_path, certname + '-chain.pem')
    fullchain_path = os.path.join(config.cert_path, certname + '-fullchain.pem')
    key_path = os.path.join(config.cert_path, certname + '-key.pem')

Dehydrated (Shell script):

sign_csr() {
    local domain="${1}" certdir="${2}" csr="${3}" cert="${4}" chain="${5}"

    if [[ ! "${API}" = "1" ]] && [[ ! "${API}" = "2" ]]; then
        echo "Unknown API version, found ${API}" >&2
        exit 1
    fi

Dehydrated is a lightweight, POSIX-compliant shell script for Let's Encrypt certificate management, while Certbot is a more comprehensive Python-based solution with additional features and integrations.

dehydrated-io logo

dehydrated

5,956

letsencrypt/acme client implemented as a shell-script – just add water

Pros of dehydrated

  • Lightweight and efficient ACME client for obtaining SSL/TLS certificates
  • Supports various DNS providers for domain validation
  • Actively maintained with regular updates and bug fixes

Cons of dehydrated

  • Requires more manual configuration compared to some other ACME clients
  • May have a steeper learning curve for beginners
  • Limited built-in features compared to more comprehensive solutions

Code Comparison

Both repositories appear to be the same project, so there isn't a relevant code comparison to make. The dehydrated-io/dehydrated repository is likely a mirror or fork of the original dehydrated project.

Additional Notes

Since both repositories seem to be the same project, it's worth noting that dehydrated is a popular ACME client written in bash. It's designed to be simple and efficient, making it a good choice for users who prefer a lightweight solution and are comfortable with command-line tools.

When choosing between different repositories of the same project, it's important to consider factors such as:

  • Update frequency
  • Number of contributors
  • Issue tracking and resolution
  • Documentation quality

In this case, users should investigate which repository is the most actively maintained and has the most community support before deciding which one to use.

diafygi logo

acme-tiny

4,725

A tiny script to issue and renew TLS certs from Let's Encrypt

Pros of acme-tiny

  • Extremely lightweight and minimalistic (single Python file)
  • Easy to understand and audit due to its simplicity
  • Minimal dependencies, requiring only Python and OpenSSL

Cons of acme-tiny

  • Limited features compared to dehydrated
  • Requires more manual configuration and setup
  • Less actively maintained with fewer contributors

Code Comparison

acme-tiny:

def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA):
    # ... (simplified for brevity)
    return signed_crt

dehydrated:

sign_csr() {
  local csr="${1}" crt_path="${2}" chain_path="${3}"
  # ... (simplified for brevity)
}

The code snippets highlight the different approaches:

  • acme-tiny uses a single Python function for the entire process
  • dehydrated employs multiple shell functions for different steps

Both projects aim to simplify the ACME protocol implementation, but dehydrated offers a more comprehensive solution with additional features and broader platform support. acme-tiny, on the other hand, provides a minimalistic approach that may be preferred for simpler setups or for users who want full control over the certificate issuance process.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

dehydrated Donate

Dehydrated is a client for signing certificates with an ACME-server (e.g. Let's Encrypt) implemented as a relatively simple (zsh-compatible) bash-script. This client supports both ACME v1 and the new ACME v2 including support for wildcard certificates!

It uses the openssl utility for everything related to actually handling keys and certificates, so you need to have that installed.

Other dependencies are: cURL, sed, grep, awk, mktemp (all found pre-installed on almost any system, cURL being the only exception).

Current features:

  • Signing of a list of domains (including wildcard domains!)
  • Signing of a custom CSR (either standalone or completely automated using hooks!)
  • Renewal if a certificate is about to expire or defined set of domains changed
  • Certificate revocation
  • and lots more..

Please keep in mind that this software, the ACME-protocol and all supported CA servers out there are relatively young and there might be a few issues. Feel free to report any issues you find with this script or contribute by submitting a pull request, but please check for duplicates first (feel free to comment on those to get things rolling).

Getting started

For getting started I recommend taking a look at docs/domains_txt.md, docs/wellknown.md and the Usage section on this page (you'll probably only need the -c option).

Generally you want to set up your WELLKNOWN path first, and then fill in domains.txt.

Please note that you should use the staging URL when experimenting with this script to not hit Let's Encrypt's rate limits. See docs/staging.md.

If you have any problems take a look at our Troubleshooting guide.

Config

dehydrated is looking for a config file in a few different places, it will use the first one it can find in this order:

  • /etc/dehydrated/config
  • /usr/local/etc/dehydrated/config
  • The current working directory of your shell
  • The directory from which dehydrated was run

Have a look at docs/examples/config to get started, copy it to e.g. /etc/dehydrated/config and edit it to fit your needs.

Usage:

Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...

Default command: help

Commands:
 --version (-v)                   Print version information
 --display-terms                  Display current terms of service
 --register                       Register account key
 --account                        Update account contact information
 --cron (-c)                      Sign/renew non-existent/changed/expiring certificates.
 --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage)
 --revoke (-r) path/to/cert.pem   Revoke specified certificate
 --deactivate                     Deactivate account
 --cleanup (-gc)                  Move unused certificate files to archive directory
 --cleanup-delete (-gcd)          Deletes (!) unused certificate files
 --help (-h)                      Show help text
 --env (-e)                       Output configuration variables for use in other scripts

Parameters:
 --accept-terms                   Accept CAs terms of service
 --full-chain (-fc)               Print full chain when using --signcsr
 --ipv4 (-4)                      Resolve names to IPv4 addresses only
 --ipv6 (-6)                      Resolve names to IPv6 addresses only
 --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
 --ca url/preset                  Use specified CA URL or preset
 --alias certalias                Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
 --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
 --force (-x)                     Force certificate renewal even if it is not due to expire within RENEW_DAYS
 --force-validation               Force revalidation of domain names (used in combination with --force)
 --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
 --lock-suffix example.com        Suffix lockfile name with a string (useful for with -d)
 --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
 --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
 --domains-txt path/to/domains.txt Use specified domains.txt instead of default/configured one
 --config (-f) path/to/config     Use specified config file
 --hook (-k) path/to/hook.sh      Use specified script for hooks
 --preferred-chain issuer-cn      Use alternative certificate chain identified by issuer CN
 --out (-o) certs/directory       Output certificates into the specified directory
 --alpn alpn-certs/directory      Output alpn verification certificates into the specified directory
 --challenge (-t) http-01|dns-01|tls-alpn-01 Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported
 --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1

Chat

Dehydrated has an official IRC-channel #dehydrated on libera.chat that can be used for general discussion and suggestions.

The channel can also be accessed with Matrix using the official libera.chat bridge at #dehydrated:libera.chat.