Automate SSL Renewal for SafeLine WAF with DNS-01 Challenge

SharonSharon
2 min read

Tired of manually renewing your SSL certificates every 90 days?

Cloud providers have reduced the validity of their free SSL certs from 1 year to just 3 months. While SafeLine WAF supports Let’s Encrypt out of the box, it lacks automatic renewal. That’s where this automation tool comes in — saving you time and reducing downtime.

🔧 What This Tool Does

This Go-based utility automatically renews your SafeLine SSL certificates using Let’s Encrypt’s DNS-01 challenge. It supports several major DNS providers out of the box:

  • Tencent Cloud

  • Aliyun (Alibaba Cloud)

  • Huawei Cloud

  • West.cn

  • Rainyun

Don’t see your DNS provider? Leave a comment on the GitHub repo — the author is open to adding more.

GitHub: https://github.com/Wink541/SafelineAPI

Mirror (Gitea): https://gitea.doicat.com/duoduo/SafelineAPI

🚀 Getting Started

1. Clone the Repo

git clone https://github.com/Wink541/SafelineAPI
cd SafelineAPI

2. Build the Binary

go build -o safelineApi ./cmd/safelineApi/main.go
# Optional: cross-compile for your platform
go env -w GOOS=linux    # Options: linux / windows / darwin
go env -w GOARCH=amd64  # Options: amd64 / arm64

3. Edit Config File

Create a config.json with the following structure:

{
  "SafeLine": {
    "Host": {
      "HostName": "192.168.1.4",
      "Port": "1443"
    },
    "ApiToken": "your-safeline-token"
  },
  "ApplyCert": {
    "Days": 30,
    "Email": "your@email.com",
    "SavePath": "/tmp/ssl",
    "DNSProviderConfig": {
      "DNSProvider": "TencentCloud",
      "TencentCloud": {
        "SecretId": "your-id",
        "SecretKey": "your-key"
      },
      "AliCloud": {
        "AccessKeyId": "your-id",
        "AccessKeySecret": "your-secret"
      },
      "HuaweiCloud": {
        "AccessKeyId": "your-id",
        "Region": "cn-east-2",
        "SecretAccessKey": "your-key"
      },
      "WestCN": {
        "Username": "your-username",
        "Password": "your-password"
      },
      "RainYun": {
        "ApiKey": "your-api-key"
      }
    }
  }
}

4. Run the Tool

./safelineApi ./config.json

5. (Optional) Add a Cron Job

To automate renewal every month:

0 0 1,31 * * root /opt/safelineApi/safelineApi /opt/safelineApi/config.json > /opt/safelineApi/app.log

🧪 Example Output

Before execution:

Certificates close to expiry (under 90 days)

Log output after running the tool:

[SUCCESS] 2025/04/15 21:36:07 SafeLine config validated!
[INFO]    2025/04/15 21:36:08 Starting certificate renewal...
[INFO]    2025/04/15 21:36:10 Using DNS-01 challenge for domain [www.doicat.com]
[INFO]    2025/04/15 21:36:14 DNS record propagation successful
[SUCCESS] 2025/04/15 21:36:43 Certificate for [www.doicat.com] updated!

After execution:

Certificates renewed successfully ✅

✍️ Final Thoughts

This simple Go tool solves a real-world pain: automating SSL renewals for SafeLine WAF. If you’re tired of getting those “certificate expired” warnings, this tool’s for you.

The project is still evolving — feel free to contribute or suggest improvements on GitHub!

0
Subscribe to my newsletter

Read articles from Sharon directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Sharon
Sharon