# Let's Encrypt

Download Let's Encrypt client (only `dehydrated` needed):
https://github.com/dehydrated-io/dehydrated/releases/latest

```sh
sudo mkdir -p /data/ssl/{configs,challenge}
sudo chown -R admin: /data/ssl

cp config dehydrated-* /data/ssl

# List all domains for automatic renewal
editor /data/ssl/domains.txt

/data/ssl/dehydrated -r
```

To enable certificate renewal,
`include snippets/letsencrypt` or put `redirect-ssl-all` in sites-enabled.

## Cronjob

```sh
/data/ssl/dehydrated -c
```

## Wildcard Certificates

```sh
echo "service.example.com *.service.example.com" >> /data/ssl/domains.txt
echo "CHALLENGETYPE=dns-01" >> /data/ssl/configs/service.example.com
echo "HOOK=/data/ssl/dehydrated-hook" >> /data/ssl/configs/service.example.com
```

There are manual and nsupdate hooks.
See [example-hook](example-hook) for an example nsupdate hook.