Let's Encrypt: how to use DeVian dehydrated for many services as mail, web, etc

This guide will work for any Devuan, VenenuX or Debian system, including old ones, you can have a debian 7, 8 including debian 6 or 5 and it will still fit.

 dehydrated its the best solution for paranoic admins and those that not want stupid chain tools in their servers.. is thin, light and simple to use!

dehydrated is a client or program to obtain valid certificates from an entity on the internet, for your web server, and also for the other services, it is the supposed "lock on the address bar" according to the ignorants, as shown in the following screen:

This will also be used for other services, such as XMPP, IMAP, HTTPS, etc ... as it can be built in several multidomains, but with the opposite that in the case of "dehydrated" each machine that runs the service must run its own instance of "dehydrated" ... unless you use complicated "hooks".

http-01 VS dns-01: each machine running the service with cert file must
execute your own instance of 'dehydrated' if you use the
unless you use the `dns-01` and complicated `hooks`.
this last one checks certain special domains in the own dns, simpler
is the first and fastest to implement, both require having or controlling
of the web service or control of the dns service where the program is executed.

Requirements:

• use dehydrated per machine that will handle a cert file in respective service
• a valit domain, in this guide we will use: venenuxdom.com
• valit subdomains if appliet: www.venenuxdom.com imap.venenuxdom.com smtp.venenuxdom.com
• a valilt DNS registry with 12 hours at least with records of venenuxdom.com

These requirements mean that the machine where venenuxdom.com is located is the same as the other sub-domains, if any sub-domain is not hosted or owned by that machine, it should not be used, by example we have those address:

• otro.venenuxdom.com in machine ip 192.1.1.40 -> not apply
• www.venenuxdom.com in machine ip 192.1.1.50 -> apply and valid
• venenuxdom.com in machine ip 192.1.1.50 -> where dehydrated will exec!
• imap.venenuxdom.com in machine ip 192.1.1.50 -> apply and valid

Installation of programs

We will execute a package that, because it has fixed and clean dependencies, works in all the Debians, to date, this are a true program, because it does not have exquisite neither specific dependencies of versions:

apt-get install openssl curl wget bash

wget http://http.us.debian.org/debian/pool/main/d/dehydrated/dehydrated_0.6.2-2+deb10u1~bpo9+1_all.deb

dpkg -i dehydrated_0.6.2-2+deb10u1~bpo9+1_all.deb

This package are a buster release but dont worry due only has bash, openssl and curl dependences so will exec in any older or newer debian release or Devuan inclusivelly

Configuration of main files

The configuration needs parameters for the account identification, the domain to which the certificate is created for that machine (since the machine where it runs is the one that will need the certificate).

cat > /etc/dehydrated/domains.txt << EOF
venenuxdom.com mail.venenuxdom.com smtp.venenuxdom.com imap.venenuxdom.com www.venenuxdom.com mx.venenuxdom.com
EOF

cat > /etc/dehydrated/conf.d/00_defaultaccount.sh << EOF
WELLKNOWN="/var/lib/dehydrated/acme-challenges/"
CONTACT_EMAIL="root@venenuxdom.com"
EOF

mkdir /var/lib/dehydrated/certs

dehydrated --register --accept-terms --challenge http-01

Configuration by http-01 verification

he configuration will use the http-01 method which is testing http being the DNS already active and valid, so you simply need the certificate's web server to be running and to be dehydrated on the same machine as the web server.

IMPORTANT NOTE: the following commands can be executed whether or not apache or lighttpd is installed, at least one of them must be installed. Take in consideration for apache 2.2 it's "conf.d" but for 2.4 its "conf-available" the path of file:

cat > /etc/lighttpd/conf-available/15-dehydrated.conf << EOF
alias.url += (
 "/.well-known/acme-challenge/" => "/var/lib/dehydrated/acme-challenges/",
)
EOF

lighty-enable-mod dehydrated

/usr/sbin/service lighttpd restart

cat > /etc/apache2/conf-available/dehydrated.conf << EOF
Alias /.well-known/acme-challenge /var/lib/dehydrated/acme-challenges/

        Options None
        AllowOverride None
        
                Order allow,deny
                Allow from all
        

Require all granted EOF /usr/sbin/service apache2 restart

Exec: Obtaining the cert files

Once configure everything we need to exec and cert files will be at /var/lib/dehydrated/certs/ with a directory per certificated as was pout in the  domains.txt file.

IMPORTANT NOTE here we need a additional step, a "combined" cert extra file for services like courier or lighttpd will be need.

dehydrated --cron --challenge http-01

cat /var/lib/dehydrated/certs/venenuxdom.com/cert.pem /var/lib/dehydrated/certs/venenuxdom.com/privkey.pem > /var/lib/dehydrated/certs/venenuxdom.com/privcert-lasted.pem

ln -sf privcert-lasted.pem /var/lib/dehydrated/certs/venenuxdom.com/privcert.pem

chown daemon:www-data /var/lib/dehydrated/certs/*.pem

chmod 640 /var/lib/dehydrated/certs/*.pem

cp /var/lib/dehydrated/certs/venenuxdom.com/privcert-lasted.pem /etc/courier/privcert.pem

chown daemon:root /etc/courier/*.pem

chmod 640 /etc/courier/*.pem

At this point we have all the "pem's" files need.

How to use the cert files:

All the involved services must be updated and restarted, of course that can be automatized, for that see the next section below "automation and hooks".

lighttp

sed -i -r 's#.*ssl.pemfile =.*#ssl.pemfile = "/var/lib/dehydrated/certs/venenuxdom.com/privcert.pem"#g' /etc/lighttpd/conf-available/10-ssl.conf

/usr/sbin/lighty-enable-mod ssl
/usr/sbin/service lighttpd restart

apache

sed -s -i -r 's|\tSSLCertificateFile.*|\tSSLCertificateFile /var/lib/dehydrated/certs/venenuxdom.com/cert.pem|g' /etc/apache2/sites-available/default-ssl
sed -s -i -r 's|\tSSLCertificateKeyFile.*|\tSSLCertificateKeyFile /var/lib/dehydrated/certs/venenuxdom.com/privkey.pem|g' /etc/apache2/sites-available/default-ssl
sed -s -i -r 's|\tSSLCertificateChainFile.*|\tSSLCertificateChainFile /var/lib/dehydrated/certs/venenuxdom.com/chain.pem|g' /etc/apache2/sites-available/default-ssl
sed -s -i -r 's|\tSSLCACertificateFile.*|\tSSLCACertificateFile /var/lib/dehydrated/certs/venenuxdom.com/fullchain.pem|g' /etc/apache2/sites-available/default-ssl

/usr/sbin/a2enmod ssl
/usr/sbin/service lighttpd restart

courier

cp /var/lib/dehydrated/certs/venenuxdom.com/privcert-lasted.pem /etc/courier/privcert.pem

chown daemon:root /etc/courier/*.pem

chmod 640 /etc/courier/*.pem

sed -i -r 's|^TLS_CERTFILE.*|TLS_CERTFILE=/etc/courier/privcert.pem|g' /etc/courier/esmtpd
sed -i -r 's|^TLS_CERTFILE.*|TLS_CERTFILE=/etc/courier/privcert.pem|g' /etc/courier/esmtpd-ssl
sed -i -r 's|^TLS_CERTFILE.*|TLS_CERTFILE=/etc/courier/privcert.pem|g' /etc/courier/imapd-ssl

for i in /etc/init.d/courier*; do $i restart; done

prosody

sed -i -r 's#key =.*#key = "/var/lib/dehydrated/certs/venenuxdom.com/privkey.pem";#g' /etc/conf.avail/venenuxdom.com.cfg.lua
sed -i -r 's#certificate =.*#certificate = "/var/lib/dehydrated/certs/venenuxdom.com/cert.pem";#g' /etc/conf.avail/venenuxdom.com.cfg.lua

/usr/sbin/service prosody restart

postfix

smtpd_tls_cert_file = /etc/dehydrated/certs/domain.tld/fullchain.pem /etc/postfix/main.cf
smtpd_tls_key_file = /etc/dehydrated/certs/domain.tld/privkey.pem /etc/postfix/main.cf
smtpd_use_tls=yes /etc/postfix/main.cf
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache /etc/postfix/main.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache /etc/postfix/main.cf

systemctl restart postfix

Automation with cron and hooks

You mus use cron to automatize those renewal of, use the monthly path to make a check each month:

cat > /etc/cron.monthly/dehydrated << EOF
#!/bin/sh

test -x /usr/bin/dehydrated || exit 0
/usr/bin/dehydrated -x --cron --cleanup --challenge http-01  --accept-terms

test -x /etc/init.d/lighttpd || exit 0
/usr/sbin/service lighttpd restart
test -x /etc/init.d/nginx || exit 0
/usr/sbin/nginx lighttpd restart
EOF

chmod 755 etc/cron.monthly/dehydrated

With this each month will be check renewal of the cert files..

All the services cert file renovation can be automated, dehydrated supports hooks on each process, and with a trick can be multiple hooks, this can be don with the following trick and a directory of hooks:

mkdir /var/lib/dehydrated/hooks.d

cat > /var/lib/dehydrated/hooks.sh << EOF
#!/usr/bin/env bash
# Simple script which allows the use of multiple hooks
for file in /var/lib/dehydrated/hooks.d/*
do
    \${file} "\$@"
done
EOF

chmod +x /var/lib/dehydrated/hooks.sh

So then all the hooks must be put into the /var/lib/dehydrated/hooks.d directory and all must have .sh extension, also must be/have exec mark.
There will be the lighttpd hook to renew the combined cert file (not generated by let's encrypt neither dehydrated), put then into the hooks directory as /var/lib/dehydrated/hooks.d/generatecombined.sh: and after write it make it exec with chmod and 755 permission:

#!/usr/bin/env bash

deploy_cert() {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
    echo "Executing deploy_cert hook $0"
    echo " + Creating privcert.pem (a combined privkey.pem + cert.pem)"
    cd "$(dirname "${CERTFILE}")" && {
        cat "${KEYFILE}" "${CERTFILE}" > "privcert-${TIMESTAMP}.pem" && \
        ln -sf "privcert-${TIMESTAMP}.pem" "privcert.pem" && {
            # Loop over all files of this type
            for filename in "privcert-"*".pem"; do
              # Check if current file is in use, remove if unused
              if [[ ! "${filename}" = "privcert-${TIMESTAMP}.pem" ]]; then
                echo " + Removing unused combined certificate file: ${filename}"
                rm "${filename}"
              fi
            done
        }
    }
}
HANDLER="$1"; shift
if [[ "${HANDLER}" = "deploy_cert" ]]; then
  "$HANDLER" "$@"
fi

this will created a chain pem file with both the priv key and the cer pub pem on each renewal. Remenber to stored in the hook.d directory as lighttpd.sh and will be procesed.

Conclusion

dehydrated its the best solution for good/paranoic admins and those that not want stupid chain tools in their servers.. is thin, light and simple to use!