Skip to content

Back to blog

Automating Renewals with --auto-renew and `sslmate download`

Historically, buying and renewing SSL certificates has been burdensome. You'd have to generate a private key and a CSR by hand using long openssl commands that ask irrelevant questions. Then you'd have to copy and paste the CSR into a multi-step online form, wait for your certificate to be emailed to you, and then copy it to your server. Multiply this by many different domains and servers, and soon you're spending way too much time managing SSL certificates.

This hassle has had a number of undesirable consequences. First, HTTPS usage is lower than it should be. Second, web site operators buy certificates for terms as long as five years, which is bad because such long-term certificates don't get refreshed with the latest cryptographic best practices, a problem we are currently facing with the transition away from SHA-1 certificates. And finally, the manual nature of renewals means that even popular and otherwise well-run websites sometimes forget to renew, leaving their visitors unable to connect.

SSLMate already makes purchasing a certificate simple: just run sslmate buy from the command line, and the key and CSR are automatically generated, and once approved, the certificate is downloaded straight to the server where you ran sslmate. Today SSLMate is pleased to announce the next step in the evolution of certificate management: automated renewals.

The first half of automated renewals is accomplished with the --auto-renew option to the sslmate buy command. If you include this option when buying a certificate, SSLMate will automatically renew your certificate when it is about to expire, charging your credit card on file. You can toggle the auto-renew setting for already-purchased certificates by visiting your certificate dashboard, and can make --auto-renew the default for new certificates by changing a setting on your account page.

Once a certificate is renewed, you have to install the new certificate on your server. There are two ways you can do this. The manual way is to wait for SSLMate to email the new certificate to you. The email will contain a download link which you can download straight to your server with wget or curl — no need to open an attachment, extract a Zip file, scp files around, or do any other inconvenient nonsense. Or, you can choose the automated way with the sslmate download command.

sslmate download downloads the latest version of a certificate from your SSLMate account to your server. By default, it places certificates in /etc/sslmate. You can configure your web server to load its certificate from /etc/sslmate and put sslmate download in a cron job that runs daily. Thus, within a day of a certificate being renewed, the renewed certificate will be automatically downloaded to your server. sslmate download uses its exit status to indicate if a new certificate was downloaded or not, and you can use this to decide whether to restart your web server. For example:

#!/bin/sh if sslmate download > /dev/null then service apache2 restart > /dev/null fi

To learn more, consult our documentation on renewals and downloads.