Please note that dehydrator is under development and not available for download yet.  It is in production use though, and I will make it available early in 2020.

is a multi-function PHP script to obtain, perform custom hook script actions, and distribute via SSH/rsync, SSL/TLS certificates obtained from the LetsEncrypt Certificate Authority operated by the Electronic Frontier Foundation, using the dehydrated ACME client and DNS-01 protocol.

Concept and Theory of operation:

Originally, I tried to use Certbot as my LetsEncrypt ACME client, but ran into issues with Python dependencies, and then other problems with using ACME HTTP protocol.  This led me to discover dehydrated, an ACME client written as a POSIX shell script, dependent only upon core userland tools, and which supports ACME DNS-01 protocol.  After I began using dehydrated, I found myself having to write a hook to call multiple hostname hooks per-certificate, doing a lot of hand-editing of dehydrated command-lines, a lot of manual distribution, and a lot of manual restarting of dependent services. I also wanted to know what certificates had expired.

My solution to this problem is dehydrator. which I refer to as a meta-client for dehydrateddehydrator does the following things:

  1. Functions as a wrapper around dehydrated, assembling certificate requests from its own configuration files, making CA requests using dehydrated
  2. Runs as a hook script for all certificate requests made via dehydrated, selecting and running other hook scripts as appropriate
  3. Optionally runs commands for any specific dehydrated hook event
  4. Distributes certificates using ssh/rsync, optionally runs a command on the remote associated with the certificate, and optionally reloads dependent services on the destination system
  5. Enforces security policy on the dehydrator host and optionally on the remote certificates
  6. Gathers and reports errors
  7. Shows status of all configured certificates
  8. Performs a self-check to ensure it has all the information it needs for each certificate
  9. Provides an API where commands, data, and config are passed, and results returned, via YAML
  10. Can operate in "stateless" mode, where all necessary data is passed via YAML at runtime
  11. Can operate in "configless" mode, where all necessary configuration is passed via YAML at runtime



You can ask for help with Dehydrator on the mailing list.

License, Documentation:

View the current: README  License (GPL)

Version history:

Requirements, Download(s):

Requires PHP-CLI 5.6 or greater.   It needs to have PRCE and OpenSSL compiled in or loaded as an extension.  Virtually all PHP installations meet this requirement.  You also need dehydrated and its dependencies, Bash, awk, sed, grep, mktemp, and cURL.  Virtually all Linux installations meet this requirement with the possible exception of cURL, which is generally available without pulling your hair out.  Distribution of certificates requires SSH and rsync on both source and destination systems, as well as find on the destination.  Again, virtually all Linux distributions will meet this requirement, with the possible exception of rsync, which you may need to install.  It will be in your distribution's packages.

Mailing List

Mailing list | Archives

Table of Contents:

To avoid a dependency on the php-yaml extension, dehydrator uses the Spyc YAML processor.  For consistency, Spyc is used even if php-yaml is available.

YAML was chosen as the API for dehydrator, instead of messy command-line methods of program-to-program communication.  Using YAML you can add/edit/remove certificate, host, hook, service, and destination records to dehydrator's configuration files. You can also use YAML to send a series of commands to dehydrator, which will be executed in the order they appear in the YAML data.