dehydrator

Concept and Theory of operation:

Originally, I tried to use Certbot as my LetsEncrypt ACME client, but ran into issues with Python dependencies, and then other problems with using ACME HTTP protocol.  This led me to discover dehydrated, an ACME client written as a POSIX shell script, dependent only upon core userland tools, and which supports ACME DNS-01 protocol.  After I began using dehydrated, I found myself having to write a hook to call multiple hostname hooks per-certificate, doing a lot of hand-editing of dehydrated command-lines, a lot of manual distribution, and a lot of manual restarting of dependent services. I also wanted to know what certificates had expired.

My solution to this problem is dehydrator. which I refer to as a meta-client for dehydrated.  dehydrator does the following things:

1. Functions as a wrapper around dehydrated, assembling certificate requests from its own configuration files, making CA requests using dehydrated
2. Runs as a hook script for all certificate requests made via dehydrated, selecting and running other hook scripts as appropriate
3. Optionally runs commands for any specific dehydrated hook event
4. Distributes certificates using ssh/rsync, optionally runs a command on the remote associated with the certificate, and optionally reloads dependent services on the destination system
5. Enforces security policy on the dehydrator host and optionally on the remote certificates
6. Gathers and reports errors
7. Shows status of all configured certificates
8. Performs a self-check to ensure it has all the information it needs for each certificate
9. Provides an API where commands, data, and config are passed, and results returned, via YAML
10. Can operate in "stateless" mode, where all necessary data is passed via YAML at runtime
11. Can operate in "configless" mode, where all necessary configuration is passed via YAML at runtime

Documentation:

• Installing and configuring dehydrator
• Installing
• Configuration
• Command-line configuratopn
• Configuration files
• Configuration via YAML ("configless")
• Initialization
• Data: Defining hostnames, certificate names, destinations, services, and commands
• Certificates
• Hosts
• Destinations
• Services
• Commands (run on destination hosts)
• Running dehydrator
• Checking system integrity
• Creating and updating certificates
• Distributing certificates
• Revoking certificates
• Showing dehydrator status
• Use of YAML in dehydrator
• dehydrator API
• stateless mode
• configless mode
• dehydrator data formats
• Configuration
• Data files
• Commands
• State
• Logging
• State
• Normal use of state in dehydrator
• Stateless dehydrator

Support:

You can ask for help with Dehydrator on the mailing list.

License, Documentation:

View the current: README • License (GPL)

Version history:

• v1.0 September 18, 2018
• v2.0 June X, 2019

Requirements, Download(s):

Requires PHP-CLI 5.6 or greater.   It needs to have PRCE and OpenSSL compiled in or loaded as an extension.  Virtually all PHP installations meet this requirement.  You also need dehydrated and its dependencies, Bash, awk, sed, grep, mktemp, and cURL.  Virtually all Linux installations meet this requirement with the possible exception of cURL, which is generally available without pulling your hair out.  Distribution of certificates requires SSH and rsync on both source and destination systems, as well as find on the destination.  Again, virtually all Linux distributions will meet this requirement, with the possible exception of rsync, which you may need to install.  It will be in your distribution's packages.

• Download dehydrator v.1.0 (tar.gz) (zip)
• Git Repository

Mailing List

Mailing list | Archives