Way to accomodate multiple CAs #494

New Issue

Closed

opened 2025-12-29 01:26:11 +01:00 by adam · 5 comments

adam commented 2025-12-29 01:26:11 +01:00

Owner

Copy Link

Originally created by @darix on GitHub (Sep 14, 2020).

I have one machine which uses LE for external certs and step CA for internal certificates.

Having an instantiated service in systemd makes this relatively simple to start dehydrated
with a different config file. But before we implement it I was wondering how we want to go about it

e.g. the unit file has

ExecStartPost=-/usr/bin/find -L /etc/dehydrated/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \;
ExecStart=/usr/bin/dehydrated --cron

The first part is easy:

ExecStart=/usr/bin/dehydrated --cron --config /etc/dehydrated/%i.conf

Should the instantiated service then keep using the shared postrun-hooks.d? or something like

ExecStartPost=-/usr/bin/find -L /etc/dehydrated/postrun-hooks-%i.d -maxdepth 1 -executable -type f -exec {} \;

do we want to have completely different config directories and just do:

ExecStartPost=-/usr/bin/find -L /etc/dehydrated-%i/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \;
ExecStart=/usr/bin/dehydrated --cron --config-dir /etc/dehydrated-%i

This would also avoid potential conflicts when both configs/domain.txt specify the same output filename.

Originally created by @darix on GitHub (Sep 14, 2020). I have one machine which uses LE for external certs and step CA for internal certificates. Having an instantiated service in systemd makes this relatively simple to start dehydrated with a different config file. But before we implement it I was wondering how we want to go about it e.g. the unit file has ``` ExecStartPost=-/usr/bin/find -L /etc/dehydrated/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \; ExecStart=/usr/bin/dehydrated --cron ``` The first part is easy: ``` ExecStart=/usr/bin/dehydrated --cron --config /etc/dehydrated/%i.conf ``` Should the instantiated service then keep using the shared postrun-hooks.d? or something like ``` ExecStartPost=-/usr/bin/find -L /etc/dehydrated/postrun-hooks-%i.d -maxdepth 1 -executable -type f -exec {} \; ``` do we want to have completely different config directories and just do: ``` ExecStartPost=-/usr/bin/find -L /etc/dehydrated-%i/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \; ExecStart=/usr/bin/dehydrated --cron --config-dir /etc/dehydrated-%i ``` This would also avoid potential conflicts when both configs/domain.txt specify the same output filename.

adam closed this issue 2025-12-29 01:26:11 +01:00

adam commented 2025-12-29 01:26:11 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Nov 14, 2020):

Tbh I think this is something you have to decide for yourself. I have no insight in your particular setup and in some cases it might make sense to reuse hooks, in others it might completely differ.

@lukas2511 commented on GitHub (Nov 14, 2020): Tbh I think this is something you have to decide for yourself. I have no insight in your particular setup and in some cases it might make sense to reuse hooks, in others it might completely differ.

adam commented 2025-12-29 01:26:12 +01:00

Author

Owner

Copy Link

@darix commented on GitHub (Nov 14, 2020):

Well some of the problems could be made a lot easier if the code is already written with the multi CA handling in mind. And if this would be an upstream feature then all distros would use the same code for this and not everyone inventing their own.

@darix commented on GitHub (Nov 14, 2020): Well some of the problems could be made a lot easier if the code is already written with the multi CA handling in mind. And if this would be an upstream feature then all distros would use the same code for this and not everyone inventing their own.

adam commented 2025-12-29 01:26:13 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Nov 14, 2020):

Well some of the problems could be made a lot easier if the code is already written with the multi CA handling in mind. And if this would be an upstream feature then all distros would use the same code for this and not everyone inventing their own.

That would require really big changes in dehydrated, rewriting a lot of the loop logic.
Since I don't see much use of this feature for most users I think it'd easier if the very few people who need it just use a wrapper like you are seemingly trying to do.

@lukas2511 commented on GitHub (Nov 14, 2020): > Well some of the problems could be made a lot easier if the code is already written with the multi CA handling in mind. And if this would be an upstream feature then all distros would use the same code for this and not everyone inventing their own. That would require really big changes in dehydrated, rewriting a lot of the loop logic. Since I don't see much use of this feature for most users I think it'd easier if the very few people who need it just use a wrapper like you are seemingly trying to do.

adam commented 2025-12-29 01:26:13 +01:00

Author

Owner

Copy Link

@darix commented on GitHub (Nov 14, 2020):

well other option would be to have e.g. --config-dir option ... then we wouldnt need (cmdline) options for each and every file. that would make the whole process a lot easier already. I dont expect the whole multi CA thing implemented within dehydrated. but making the cmdline interface easier to launch it multiple times

@darix commented on GitHub (Nov 14, 2020): well other option would be to have e.g. --config-dir option ... then we wouldnt need (cmdline) options for each and every file. that would make the whole process a lot easier already. I dont expect the whole multi CA thing implemented within dehydrated. but making the cmdline interface easier to launch it multiple times

adam commented 2025-12-29 01:26:14 +01:00

Author

Owner

Copy Link

@jobe1986 commented on GitHub (Nov 14, 2020):

well other option would be to have e.g. --config-dir option ... then we wouldnt need (cmdline) options for each and every file. that would make the whole process a lot easier already. I dont expect the whole multi CA thing implemented within dehydrated. but making the cmdline interface easier to launch it multiple times

There is a "--config" (-f) option for specifying the path to a specific config file, in which you can configure various directories, including BASEDIR which would allow you to achieve the same goal.

Sure it would mean running dehydrated once for each config file, but it would allow you to use multiple CA's and keep their directories seperated.

@jobe1986 commented on GitHub (Nov 14, 2020): > well other option would be to have e.g. --config-dir option ... then we wouldnt need (cmdline) options for each and every file. that would make the whole process a lot easier already. I dont expect the whole multi CA thing implemented within dehydrated. but making the cmdline interface easier to launch it multiple times There is a "--config" (-f) option for specifying the path to a specific config file, in which you can configure various directories, including BASEDIR which would allow you to achieve the same goal. Sure it would mean running dehydrated once for each config file, but it would allow you to use multiple CA's and keep their directories seperated.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sudo-env

testing

rfc8738

jsonsh

v0.7.2

v0.7.1

v0.7.0

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.1

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels

Complicated

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

suggestions wanted

testing

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#494