Forge Home


Manages Let's encrypt certificates using dehydrated


291 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 7.0.0 (latest)
  • 6.0.0
  • 5.0.0
  • 4.1.1
  • 4.1.0
  • 4.0.0
  • 3.1.0
  • 3.0.0
  • 2.4.1
  • 2.4.0
released Jul 7th 2023
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • ,
  • cleanup
  • renew
  • renew

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'opuscodium-dehydrated', '7.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add opuscodium-dehydrated
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install opuscodium-dehydrated --version 7.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



opuscodium/dehydrated — version 7.0.0 Jul 7th 2023


Build Status Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores License

Table of Contents

Module Description

The dehydrated module lets you use Puppet to manage Let's Encrypt certificates creation and renewal using dehydrated.


Beginning with dehydrated

Let's encrypt needs a contact address that must be passed to the dehydrated class:

class { 'dehydrated':
  contact_email => '',

This is enough to get started and creating certificates.


Generate a simple certificate

After including the required dehydrated class, each dehydrated::certificate will produce a single certificate file:

class { 'dehydrated':
  contact_email => '',

dehydrated::certificate { '':

Generate a certificate with SAN

A dehydrated::certificate can use the domains parameter to indicate Subject Alternative Names (SAN).

class { 'dehydrated':
  contact_email => '',

dehydrated::certificate { '':
  domains => [

Use DNS-01 hook

Examples of dns-01

Hook must wait until DNS records are really synced across public DNS servers and only then finish. Otherwise Let's Encrypt won't find the records from their side and dehydrated run will fail.

class { 'dehydrated':
  contact_email => '',
  challengetype => 'dns-01',
  hook          => '/home/dehydrated/',
  timeout       => 600,

dehydrated::certificate { '':

Renewing certificates with cron

The cron_integration parameter of the dehydrated class configures cron to renew certificates before they expire.

class { 'dehydrated':
  contact_email    => '',
  cron_integration => true,

Please note that the web server is not automatically restarted when certificates are renewed.

Serving challenges with Apache

The apache_integration parameter of the dehydrated class configures apache to serve the challenges used for domain validation.

The following example redirect all HTTP requests to HTTPS except those related to letsencrypt's validation:

include ::apache
include ::apache::mod::rewrite

class { 'dehydrated':
  contact_email      => '',
  apache_integration => true,

apache::vhost { 'main':
  port           => 80,
  default_vhost  => true,
  docroot        => '/var/empty',
  manage_docroot => false,
  directories    => [
      path     => '/var/empty',
      rewrites => [
          rewrite_rule => '.* https://%{HTTP_HOST}%{REQUEST_URI} [R=301]',