opensourceprojects.dev

A broadsheet for software that doesn't ask for your email

Dehydrated: a bash-based ACME client for signing certs with wildcard support
GitHub RepoImpressions3

Project Description

View on GitHub

Dehydrated: A Bash-Based ACME Client That Actually Handles Wildcards

Let's be real. Setting up HTTPS with Let's Encrypt usually means picking between certbot (which works but feels like a tank) or something too minimal that breaks on edge cases. What if you just want a solid ACME client that's simple, scriptable, and doesn't shy away from wildcard domains?

Enter Dehydrated — a pure bash ACME client that's been around forever for a good reason.

What It Does

Dehydrated is a standalone ACME client written entirely in bash. It talks to Let's Encrypt (or any ACME-compatible CA) to sign certificates, including full wildcard support for *.example.com. No Python dependencies, no npm, no Docker overhead. Just bash, curl, and OpenSSL.

You configure a domain list, run the script, and it handles the ACME dance. It supports HTTP-01, DNS-01, and TLS-ALPN-01 challenges out of the box.

Why It's Cool

A few things make Dehydrated stand out from the growing crowd of ACME tools:

  • Wildcard certs without drama. DNS-01 challenge works perfectly, and you can plug in any DNS provider with a simple hook script. No lock-in.
  • It's just bash. That means it runs on literally any Linux box, BSD system, or even busybox-based environments (like embedded routers). No pip install, no runtime version hell.
  • Hook system is flexible. Want to reload nginx after cert renewal? .reload_cmd does that. Need to update a load balancer? Write a hook. It's trivial to extend.
  • It's been stable for years. Dehydrated isn't some shiny new tool that might vanish. It's battle-tested, with a clear configuration file system and no surprises.

For devops folks who prefer distro-packaged tools or minimal footprint setups (like on a Raspberry Pi or a VPS with 256MB RAM), this is a breath of fresh air.

How to Try It

Clone the repo, copy the config example, and you're mostly there:

git clone https://github.com/dehydrated-io/dehydrated.git
cd dehydrated
cp docs/examples/config .
# Edit config to set CONTACT_EMAIL and challenge type
./dehydrated --register --accept-terms
./dehydrated --cron --domain example.com --wildcard

That's it. The --cron flag handles renewals automatically. For DNS-01, you'll need a hook script for your DNS provider (check the docs/ folder — many providers have community scripts).

If you want a quick test without affecting your production domain, use the Let's Encrypt staging environment by adding CA="https://acme-staging-v02.api.letsencrypt.org/directory" to your config.

Final Thoughts

If you already use certbot and it works for you, great. But if you've ever found yourself fighting with a Docker container just to get a cert for a tiny server, or wished you could just scp a bash script and be done, give Dehydrated a spin. It's old-school in the best way — no bloat, no magic, just shell scripts doing one thing well.

For anyone maintaining a fleet of servers with minimal dependencies (or just tired of abstraction layers), this is a solid tool to keep in your back pocket.


Found this interesting? Follow @githubprojects for more developer tools and open source discoveries.

Back to Projects
Project ID: 9328a7a0-4719-4e9f-bea9-dc6f51f5bc2fLast updated: July 12, 2026 at 05:47 AM