Help with Dehydrated


#1

Hi
Working to LE an internet accessible LAN server. But there were errors. Below is what was done.

1 Download the files for installation

$ git clone https://github.com/lukas2511/dehydrated.git
$ git clone https://github.com/jbjonesjr/letsencrypt-manual-hook.git dehydrated/hooks/manual

2 As indicated by instruction, issued the following command

[name@awesome gitprojects]$ ./dehydrated/dehydrated -c -t dns-01 -d nc.server.com -d www.nc.server.com -k ./dehydrated/hooks/manual/manual_hook.rb

# WARNING !! No main config file found, using default config!

  • Generating account key…
  • Registering account key with ACME server…
    Processing nc.server.com with alternative names: www.nc.server.com
  • Signing domains…
  • Creating new directory /home/name/gitprojects/dehydrated/certs/nc.server.com …
  • Generating private key…
  • Generating signing request…
  • Requesting challenge for nc.server.com
  • Requesting challenge for www.nc.server.com
    /usr/bin/env: ruby: No such file or directory

First error: # !! WARNING !! No main config file found, using default config!
Second error: /usr/bin/env: ruby: No such file or directory

What/where is the main config file and does ruby needs to be installed ? [I have installed ruby now]

Is there a trial run option?

Thanks


Centos 7 and DNS Challenge
#2

After installing ruby, dehydrated ran great!

THINGS TO THINK ABOUT

(1) Updated the zone files with the TXT record
(2) Remember to increment the record serial number
(3) The output instructions say: Leave TXT record in place to allow easier future refreshes.

THE SUCCESSFUL OUTPUT

[user@computer projects]# ./dehydrated/dehydrated -c -t dns-01 -d nc.server.com -d www.nc.server.com -k ./dehydrated/hooks/manual/manual_hook.rb
!#
!! WARNING No main config file found, using default config!
!#
Processing nc.server.com with alternative names: www.nc.server.com

  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting challenge for nc.server.com
  • Requesting challenge for www.nc.server.com
    Checking for pre-existing TXT record for the domain: “_acme-challenge.nc.server.com”.
    Create TXT record for the domain: “_acme-challenge.nc.server.com”. TXT record:
    "poeewo0ljfa098ED0-098eoeq09qrojlanHO8Y5VPB3JLH"
    Press enter when DNS has been updated…

Didn’t find a match for poeewo0ljfa098ED0-098eoeq09qrojlanHO8Y5VPB3JLH
Waiting to retry…
Found poeewo0ljfa098ED0-098eoeq09qrojlanHO8Y5VPB3JLH. match.

  • Responding to challenge for nc.server.com
    Challenge complete. Leave TXT record in place to allow easier future refreshes.
  • Challenge is valid!
    Checking for pre-existing TXT record for the domain: “_acme-challenge.www.nc.server.com”.
    Create TXT record for the domain: “_acme-challenge.www.nc.server.com”. TXT record:
    "IUYYUFJHuoiyrehgvOIUKJIOYfdtfuy6574FJHkljofui"
    Press enter when DNS has been updated…

Didn’t find a match for IUYYUFJHuoiyrehgvOIUKJIOYfdtfuy6574FJHkljofui
Waiting to retry…
Found IUYYUFJHuoiyrehgvOIUKJIOYfdtfuy6574FJHkljofui. match.

  • Responding to challenge for www.nc.server.com
    Challenge complete. Leave TXT record in place to allow easier future refreshes.
  • Challenge is valid!
  • Requesting certificate…
  • Checking certificate…
  • Done!
  • Creating fullchain.pem…
  • Done!
    [user@computer projects]#

Centos 7 and DNS Challenge
#3

How To Check For A Renewal Of The Dehydrated Certificate

NOTE
The certificates have already been obtain and are working as expected.

After spending time to understand dehydrated renewal here is what was learned:

(1) The renewal requires the running of the [same | exact] command used to obtain certificates

(2) Documentation and the original output suggest: “Leave TXT record in place to allow easier future refreshes” The TXT record seems to be used to [obtain|check] renewal.

Therefore, the command to [obtain|check] dehydrated renewal is the same as the command to obtain a dehydrated certificate. Having the control of the server allows the use of the manual method.


The command is:

./dehydrated/dehydrated -c -t dns-01 -d nc.server.com -d www.nc.server.com -k ./dehydrated/hooks/manual/manual_hook.rb

The output shows the certificate is not 30 days old so the renewal is skipped

WARNING !! No main config file found, using default config!

Processing nc.server.com with alternative names: www.nc.server.com

  • Checking domain name(s) of existing cert… unchanged.
  • Checking expire date of existing cert…
  • Valid till Apr 4 01:59:00 2017 GMT (Longer than 30 days). Skipping renew!


#4

If you set up the config files (/etc/dehydrated/config and /etc/dehydrated/domains.txt, IIRC), you can just run the command as “dehydrated -c”, and the remaining values will be read from those files. The recommendation with certbot is to run “certbot renew” daily; I’d expect the same would apply to dehydrated.


#5

Thanks @danb35

I was using this command:

./dehydrated/dehydrated -c -t dns-01 -d nc.server.com -d www.nc.server.com -k ./dehydrated/hooks/manual/manual_hook.rb

You recommend using:

./dehydrated -c

(1) Are there other switches|parameters|verbs for the location of domain.txt?
(2) What is the exact command? like this?

./dehydrated -c -f /path/to/config containing domain.txt/

Thanks!


#6

If you put config and domains.txt in /etc/dehydrated, there’s no need to specify the path for the config file or for domains.txt. I believe there are a couple of other directories that are checked as well, but /etc/dehydrated is where they are on my system. The dehydrated script is in /usr/local/bin, so it’s in my PATH. After the config and domains.txt files are there, all I do is call “dehydrated -c” from a cron job once a day, and it keeps eight separate certs (for eight different hosts) up to date.


#7

Very nice. I appreciate the clarification. Thanks a lot @danb35 :slight_smile:


#8

@danb35

  1. domains.txt is edited and set up in the same location as the dehydrated script.

  2. Is it necessary to move or even use config because except for, -t dns-01, the default settings will be used as indicated by “!!WARNING No main config file found, using default config!” ?

  3. Is manual_hook.rb needed, since the certificate has been granted and the goal is renewal ?

  4. Do any of these command scenarios have promise or make sense to use ?

Using manual_hook.rb and default config except for -t dns-01
./dehydrated -c -t dns-01 -k ./dehydrated/hooks/manual/manual_hook.rb

Not Us manual_hook.rb but using default config except for -t dns-01
./dehydrated -c -t dns-01

What is your suggestion? Thanks


#9

I think they make sense, but I haven’t used the DNS challenge with dehydrated, so it’s hard to say for sure. But both of those parameters could be put into the config file if desired.


#10

Thanks @danb35

@schoen do you have any thoughts about this?


#11

Sorry to say, I have also not used this setup.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.