How to Auto-Update SSL Certificates in SafeLine WAF via File Sync

SharonSharon
3 min read

Tired of manually uploading SSL certificates through the web interface every time they renew? You’re not alone. Many SafeLine WAF users have asked for a more automated way to manage certificate updates — especially those using tools like certbot or acme.sh.

Starting with SafeLine WAF v7.2.0, there’s now a solution: auto-reloading SSL certificates from a predefined directory, without needing to touch the web UI again.

Here’s how it works.

Why This Feature Matters

These were some real community feature requests:

  • “[Feature] Support loading SSL certs via path”

  • “[Bug] Certificate expiration not refreshed after manual file update + container restart”

  • “Suggestion: Integrate certbot/acme.sh for automated SSL deployment”

SafeLine listened — and built it in.

✅ Requirements

  • SafeLine WAF version 7.2.0 or later

  • One-time certificate upload via the UI (to register it)

  • Your certbot/acme.sh process must overwrite the correct file path

📁 One-Time Upload to Register Your Cert

Before using auto-update, you still need to upload the certificate once manually. This lets SafeLine know a cert exists and registers it in the internal config.

🔍 Locate the Certificate Files

SafeLine stores certificates under:

/data/safeline/resources/nginx/certs/

Example:

ls -lh /data/safeline/resources/nginx/certs/
total 8.0K
-rw-r--r-- 1 root root 1.4K Nov 22 18:15 cert_1.crt
-rw-r--r-- 1 root root 1.7K Nov 22 18:15 cert_1.key

These are the .crt and .key files SafeLine uses internally.

🔁 Automate with certbot or acme.sh

Once your certificate is issued or renewed using certbot, simply overwrite the files in the certs directory.

For example, you can use a hook or cron job like this:

cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem /data/safeline/resources/nginx/certs/cert_1.crt
cp /etc/letsencrypt/live/yourdomain.com/privkey.pem /data/safeline/resources/nginx/certs/cert_1.key

This integrates perfectly with acme.sh as well.

🔄 How SafeLine Detects Changes

No restart needed. SafeLine will automatically reload certificates every hour. If the .crt or .key files have changed, the WAF will apply the updated certificates without downtime.

So once you’ve set it up, future renewals are hands-free.

🧠 Pro Tips

  • Use a --deploy-hook with certbot or acme.sh to auto-copy updated files

  • Combine with systemd timers or cron for zero-touch automation

  • If the expiration date doesn’t update in the UI immediately, just wait for the hourly reload — or restart the container manually if you need it sooner

Final Thoughts

This small but powerful feature helps bridge the gap between manual certificate management and fully automated DevOps pipelines.

With SafeLine WAF’s file-based SSL reload, managing HTTPS for your web apps becomes a seamless part of your CI/CD workflow.

No UI clicks. No downtime. Just automation that works.

📣 Join the Community

Interested in WAFs and open-source security tools? Click below to join the SafeLine Community Group and geek out with us!

1
Subscribe to my newsletter

Read articles from Sharon directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Sharon
Sharon