Dehydrated: A Bash-Based ACME Client That Actually Handles Wildcards
Let's be real. Setting up HTTPS with Let's Encrypt usually means picking between certbot (which works but feels like a tank) or something too minimal that breaks on edge cases. What if you just want a solid ACME client that's simple, scriptable, and doesn't shy away from wildcard domains?
Enter Dehydrated — a pure bash ACME client that's been around forever for a good reason.
What It Does
Dehydrated is a standalone ACME client written entirely in bash. It talks to Let's Encrypt (or any ACME-compatible CA) to sign certificates, including full wildcard support for *.example.com. No Python dependencies, no npm, no Docker overhead. Just bash, curl, and OpenSSL.
You configure a domain list, run the script, and it handles the ACME dance. It supports HTTP-01, DNS-01, and TLS-ALPN-01 challenges out of the box.
Why It's Cool
A few things make Dehydrated stand out from the growing crowd of ACME tools:
- Wildcard certs without drama. DNS-01 challenge works perfectly, and you can plug in any DNS provider with a simple hook script. No lock-in.
- It's just bash. That means it runs on literally any Linux box, BSD system, or even busybox-based environments (like embedded routers). No pip install, no runtime version hell.
- Hook system is flexible. Want to reload nginx after cert renewal?
.reload_cmddoes that. Need to update a load balancer? Write a hook. It's trivial to extend. - It's been stable for years. Dehydrated isn't some shiny new tool that might vanish. It's battle-tested, with a clear configuration file system and no surprises.
For devops folks who prefer distro-packaged tools or minimal footprint setups (like on a Raspberry Pi or a VPS with 256MB RAM), this is a breath of fresh air.
How to Try It
Clone the repo, copy the config example, and you're mostly there:
git clone https://github.com/dehydrated-io/dehydrated.git
cd dehydrated
cp docs/examples/config .
# Edit config to set CONTACT_EMAIL and challenge type
./dehydrated --register --accept-terms
./dehydrated --cron --domain example.com --wildcard
That's it. The --cron flag handles renewals automatically. For DNS-01, you'll need a hook script for your DNS provider (check the docs/ folder — many providers have community scripts).
If you want a quick test without affecting your production domain, use the Let's Encrypt staging environment by adding CA="https://acme-staging-v02.api.letsencrypt.org/directory" to your config.
Final Thoughts
If you already use certbot and it works for you, great. But if you've ever found yourself fighting with a Docker container just to get a cert for a tiny server, or wished you could just scp a bash script and be done, give Dehydrated a spin. It's old-school in the best way — no bloat, no magic, just shell scripts doing one thing well.
For anyone maintaining a fleet of servers with minimal dependencies (or just tired of abstraction layers), this is a solid tool to keep in your back pocket.
Found this interesting? Follow @githubprojects for more developer tools and open source discoveries.