How to Auto-Update SSL Certificates in SafeLine WAF via File Sync

Tired of manually uploading SSL certificates through the web interface every time they renew? You’re not alone. Many SafeLine WAF users have asked for a more automated way to manage certificate updates — especially those using tools like certbot or acme.sh.
Starting with SafeLine WAF v7.2.0, there’s now a solution: auto-reloading SSL certificates from a predefined directory, without needing to touch the web UI again.
Here’s how it works.
Why This Feature Matters
These were some real community feature requests:
“[Feature] Support loading SSL certs via path”
“[Bug] Certificate expiration not refreshed after manual file update + container restart”
“Suggestion: Integrate certbot/acme.sh for automated SSL deployment”
SafeLine listened — and built it in.
✅ Requirements
SafeLine WAF version 7.2.0 or later
One-time certificate upload via the UI (to register it)
Your certbot/acme.sh process must overwrite the correct file path
📁 One-Time Upload to Register Your Cert
Before using auto-update, you still need to upload the certificate once manually. This lets SafeLine know a cert exists and registers it in the internal config.
🔍 Locate the Certificate Files
SafeLine stores certificates under:
/data/safeline/resources/nginx/certs/
Example:
ls -lh /data/safeline/resources/nginx/certs/
total 8.0K
-rw-r--r-- 1 root root 1.4K Nov 22 18:15 cert_1.crt
-rw-r--r-- 1 root root 1.7K Nov 22 18:15 cert_1.key
These are the .crt
and .key
files SafeLine uses internally.
🔁 Automate with certbot or acme.sh
Once your certificate is issued or renewed using certbot, simply overwrite the files in the certs
directory.
For example, you can use a hook or cron job like this:
cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem /data/safeline/resources/nginx/certs/cert_1.crt
cp /etc/letsencrypt/live/yourdomain.com/privkey.pem /data/safeline/resources/nginx/certs/cert_1.key
This integrates perfectly with acme.sh as well.
🔄 How SafeLine Detects Changes
No restart needed. SafeLine will automatically reload certificates every hour. If the .crt
or .key
files have changed, the WAF will apply the updated certificates without downtime.
So once you’ve set it up, future renewals are hands-free.
🧠 Pro Tips
Use a
--deploy-hook
with certbot or acme.sh to auto-copy updated filesCombine with systemd timers or cron for zero-touch automation
If the expiration date doesn’t update in the UI immediately, just wait for the hourly reload — or restart the container manually if you need it sooner
Final Thoughts
This small but powerful feature helps bridge the gap between manual certificate management and fully automated DevOps pipelines.
With SafeLine WAF’s file-based SSL reload, managing HTTPS for your web apps becomes a seamless part of your CI/CD workflow.
No UI clicks. No downtime. Just automation that works.
📣 Join the Community
Interested in WAFs and open-source security tools? Click below to join the SafeLine Community Group and geek out with us!
Subscribe to my newsletter
Read articles from Sharon directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
