(1) Updated the zone files with the TXT record
(2) Remember to increment the record serial number
(3) The output instructions say: Leave TXT record in place to allow easier future refreshes.
THE SUCCESSFUL OUTPUT
[user@computer projects]# ./dehydrated/dehydrated -c -t dns-01 -d nc.server.com -d www.nc.server.com -k ./dehydrated/hooks/manual/manual_hook.rb
!#
!! WARNING No main config file found, using default config!
!#
Processing nc.server.com with alternative names: www.nc.server.com
Requesting challenge for www.nc.server.com…
Checking for pre-existing TXT record for the domain: “_acme-challenge.nc.server.com”.
Create TXT record for the domain: “_acme-challenge.nc.server.com”. TXT record:
"poeewo0ljfa098ED0-098eoeq09qrojlanHO8Y5VPB3JLH"
Press enter when DNS has been updated…
Didn’t find a match for poeewo0ljfa098ED0-098eoeq09qrojlanHO8Y5VPB3JLH
Waiting to retry…
Found poeewo0ljfa098ED0-098eoeq09qrojlanHO8Y5VPB3JLH. match.
Responding to challenge for nc.server.com…
Challenge complete. Leave TXT record in place to allow easier future refreshes.
Challenge is valid!
Checking for pre-existing TXT record for the domain: “_acme-challenge.www.nc.server.com”.
Create TXT record for the domain: “_acme-challenge.www.nc.server.com”. TXT record:
"IUYYUFJHuoiyrehgvOIUKJIOYfdtfuy6574FJHkljofui"
Press enter when DNS has been updated…
Didn’t find a match for IUYYUFJHuoiyrehgvOIUKJIOYfdtfuy6574FJHkljofui
Waiting to retry…
Found IUYYUFJHuoiyrehgvOIUKJIOYfdtfuy6574FJHkljofui. match.
Responding to challenge for www.nc.server.com…
Challenge complete. Leave TXT record in place to allow easier future refreshes.
How To Check For A Renewal Of The Dehydrated Certificate
NOTE
The certificates have already been obtain and are working as expected.
After spending time to understand dehydrated renewal here is what was learned:
(1) The renewal requires the running of the [same | exact] command used to obtain certificates
(2) Documentation and the original output suggest: “Leave TXT record in place to allow easier future refreshes” The TXT record seems to be used to [obtain|check] renewal.
Therefore, the command to [obtain|check] dehydrated renewal is the same as the command to obtain a dehydrated certificate. Having the control of the server allows the use of the manual method.
If you set up the config files (/etc/dehydrated/config and /etc/dehydrated/domains.txt, IIRC), you can just run the command as “dehydrated -c”, and the remaining values will be read from those files. The recommendation with certbot is to run “certbot renew” daily; I’d expect the same would apply to dehydrated.
If you put config and domains.txt in /etc/dehydrated, there’s no need to specify the path for the config file or for domains.txt. I believe there are a couple of other directories that are checked as well, but /etc/dehydrated is where they are on my system. The dehydrated script is in /usr/local/bin, so it’s in my PATH. After the config and domains.txt files are there, all I do is call “dehydrated -c” from a cron job once a day, and it keeps eight separate certs (for eight different hosts) up to date.
domains.txt is edited and set up in the same location as the dehydrated script.
Is it necessary to move or even use config because except for, -t dns-01, the default settings will be used as indicated by “!!WARNING No main config file found, using default config!” ?
Is manual_hook.rb needed, since the certificate has been granted and the goal is renewal ?
Do any of these command scenarios have promise or make sense to use ?
Using manual_hook.rb and default config except for -t dns-01
./dehydrated -c -t dns-01 -k ./dehydrated/hooks/manual/manual_hook.rb
Not Us manual_hook.rb but using default config except for -t dns-01
./dehydrated -c -t dns-01
I think they make sense, but I haven’t used the DNS challenge with dehydrated, so it’s hard to say for sure. But both of those parameters could be put into the config file if desired.
