Dehydrated and multiple domains

Andi Northrop's picture

Hi there, I posted this over in the confconsole docs as a comment, but I guess the forums are better monitored? Anywho, to recap:

OK, I may be missing something obvious but I can't see what I should be doing after the first bullet point to make dehydrated pick up the additional domains and run the wrapper to get certificates for those new domains?

Will it just pick up the changes when the daily cron runs or do I need to invoke it myself somehow?

Cheers for any help!

Since then I've figured that I can call dehydrated from the terminal (duh) but I can't get it working.

To start with dehydrated by itself looks for domains.txt (instead of, a tweak to dehydrated's config file sorts that but now I'm getting a challenge error of 403:

 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for
 + Responding to challenge for
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unauthorized",
    "detail": "Invalid response from \"\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp\"",
    "status": 403

Any ideas? I'm wary of trying too many times without advice lest I be blocked by letsencrypt.

This all runs fine from Confconsole but I've got new domains I need to add in so I need to get it sorted this way (I'm running 14.2 LAMP).


Andi Northrop's picture

Having rummaged around in the dehydrated docs, my best guess is that I need to add an alias to Apache in the alias.conf mod to the tune of:

Alias /.well-known/acme-challenge /var/www/dehydrated

Am I on the right lines?

Also, if I change dehydrated settings will that break the Confconsole method (not a major issue now but I may wish to use it in the future)?

Andi Northrop's picture

That Alias should probably read:

Alias /.well-known/acme-challenge /var/lib/dehydrated/acme-challenges


Jeremy Davis's picture

It's been a little while since I worked on it, but IIRC you should just need to add your additional domains to /etc/dehydrated/ Each new domain goes on a separate line, with up to 4 sub-domains. E.g.:
The last in the list should write to /etc/ssl/private/cert.pem so will also be the cert that will work for Webmin and Webshell.

You can then run it manually (to check it works) by directly invoking the TurnKey dehydrated-wrapper:


If you want to do some testing without risking getting blocked by Let's Encrypt, please add the staging server to your conf file (/etc/dehydrated/confconsole.config). Make sure you remove it when you're done testing though.

Want some info about it? Use the --help switch. Want more info about what it's doing? Try the --log-info switch or if you want really verbose output, set DEBUG. I.e.

export DEBUG=y
If you use the Confconsole dehydrated-wrapper to launch dehydrated, you won't need to worry about setting aliases etc as it uses it's own mini-webserver to serve the challenges.

If you don't like that long path and want to make dehydrated-wrapper a "command"; then add a symlink to /usr/local/bin:

ln -s /usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper /usr/local/bin/dehydrated-wrapper
Then you should be able to launch it simply by typing "dehydrated-wrapper".

Once it's done it's thing, then you should find your certificates in /etc/ssl/private/DOMAIN, e.g. using my domain list above, I should have:


TBH, I didn't exhaustively test with multiple domains, so there is a chance that I missed something.

If you want to keep going the way you are, then it's possible, but you'll need to write your own hook script to write out the certificates that it gets. The hook script that ships with confconsole is designed to integrate with the bundled mini-server.

Regardless, it seems clear that we either need to improve the docs a bit (giving a step-by-step walkthrough) and/or make confconsole support multiple domains...

Andi Northrop's picture

Thanks Jeremy, that makes more sense.

It runs now but it's only writing to /etc/ssl/private/cert.pem meaning that only the domain (and subs) on the last line of is getting a certificate.

It's not writing any of the extra domains to directories e.g. /etc/ssl/private/

/var/lib/dehydrated/certs/ contains directories for each domain but nothing in /etc/ssl/private

Post new comment