Please note that dehydrator is under development and not available for download yet.  It is in production use though, and I will make it available June 2019.

is a multi-function PHP script to obtain, perform custom hook script actions, and distribute via SSH/rsync, SSL/TLS certificates obtained from the LetsEncrypt Certificate Authority operated by the Electronic Frontier Foundation, using the dehydrated ACME client and DNS-01 protocol.

Concept and Theory of operation:

Originally, I tried to use Certbot as my LetsEncrypt ACME client, but ran into issues with Python dependencies, and then other problems with using ACME HTTP protocol.  This led me to discover dehydrated, an ACME client written as a POSIX shell script, dependent only upon core userland tools, and which supports ACME DNS-01 protocol.  After I began using dehydrated, I found myself having to write a hook to call multiple hostname hooks per-certificate, doing a lot of hand-editing of dehydrated command-lines, a lot of manual distribution, and a lot of manual restarting of dependent services. I also wanted to know what certificates had expired.

My solution to this problem is dehydrator. which I refer to as a meta-client for dehydrateddehydrator does the following things:

  1. Functions as a wrapper around dehydrated, assembling certificate requests from its own configuration files, making CA requests using dehydrated
  2. Runs as a hook script for all certificate requests made via dehydrated, selecting and running other hook scripts as appropriate
  3. Optionally runs commands for any specific dehydrated hook event
  4. Distributes certificates using ssh/rsync, optionally runs a command on the remote associated with the certificate, and optionally reloads dependent services on the destination system
  5. Enforces security policy on the dehydrator host and optionally on the remote certificates
  6. Gathers and reports errors
  7. Shows status of all configured certificates
  8. Performs a self-check to ensure it has all the information it needs for each certificate



You can ask for help with Dehydrator on the mailing list.

License, Documentation:

View the current: README  License (GPL)

Version history:

Requirements, Download(s):

Requires PHP-CLI 5.6 or greater.   It needs to have PRCE and OpenSSL compiled in or loaded as an extension.  Virtually all PHP installations meet this requirement.  You also need dehydrated and its dependencies, Bash, awk, sed, grep, mktemp, and cURL.  Virtually all Linux installations meet this requirement with the possible exception of cURL, which is generally available without pulling your hair out.

Mailing List

Mailing list | Archives