host.rb is a hook, driven by hook.sh, for Dehydrated to get certificates from Let's Encrypt using the dns-01 challenge-response method, for Dyn Managed DNS.
It uses the official dyn-rb gem to access the Dyn REST API, configured using Dehydrated's config file.
The dns-01 challenge-response is useful because it lets you get all of your certs from one ACME client, to save you littering clients on every host in your infrastructure that needs a cert. That's especially useful for hosts where you can't install and operate a client, like routers, where certificates can still be installed.
It's a much more sensible method than the HTTP challenge-response method for that reason.
- Clone Dehydrated
- Clone this hook
- Configure Dehydrated (
configfile) to tell it where the hook is, provide your Dyn account details, and provide a path tohook.rbforhook.shto call - Setup your
domains.txt - Run Dehydrated and get certificates
Here's an example config for Dehydrated. Set it up to your own liking.
CA="https://acme-staging.api.letsencrypt.org/directory"
HOOK=/path/to/hook.sh
CHALLENGETYPE="dns-01"
CERTDIR="${BASEDIR}/certs"
ACCOUNTDIR="${BASEDIR}/accounts"
CONTACT_EMAIL="[email protected]"
# config for hook.sh and host.rb
export DYN_ACCOUNTNAME="yourdynaccountname"
export DYN_USERNAME="yourdynapiusername"
export DYN_PASSWORD="yourdynapipassword"
export HOST_RB=/path/to/host.rb
- In the
configabove, I'm using the staging Let's Encrypt directory. Please test against that yourself before making live requests. - It doesn't handle Dehydrated's calls to
unchanged_certordeploy_certinhook.sh. You might want to fill those in to do something useful on your setup, after Dehydrated gets your certs. - If it wasn't obvious,
host.rbis Ruby code, so you'll need a functioning Ruby and thedyn-rbgem for the hook to execute properly. - The 5 second sleeps in
host.rbmight not be necessary, they just helped me debug the order of interaction between Dehydrated and how it calls a configured hook.