Automating Renewals with --auto-renew and `sslmate download`
Historically, buying and renewing SSL certificates has been burdensome. You'd have to generate a private key and a CSR by hand using long openssl commands that ask irrelevant questions. Then you'd have to copy and paste the CSR into a multi-step online form, wait for your certificate to be emailed to you, and then copy it to your server. Multiply this by many different domains and servers, and soon you're spending way too much time managing SSL certificates.
This hassle has had a number of undesirable consequences. First, HTTPS usage is lower than it should be. Second, web site operators buy certificates for terms as long as five years, which is bad because such long-term certificates don't get refreshed with the latest cryptographic best practices, a problem we are currently facing with the transition away from SHA-1 certificates. And finally, the manual nature of renewals means that even popular and otherwise well-run websites sometimes forget to renew, leaving their visitors unable to connect.
SSLMate already makes purchasing a certificate simple: just run
sslmate buy www.example.com
from the command line, and the key and CSR are automatically generated, and once approved, the certificate
is downloaded straight to the server where you ran sslmate. Today SSLMate is pleased to announce
the next step in the evolution of certificate management: automated renewals.
The first half of automated renewals is accomplished with the
sslmate buy command. If you include this option when buying a certificate,
SSLMate will automatically renew your certificate when it is about to expire, charging your credit card on file.
You can toggle the auto-renew setting for already-purchased certificates
by visiting your certificate dashboard, and can make
the default for new certificates by changing a setting on your account page.
Once a certificate is renewed, you have to install the new certificate
on your server. There are two ways you can do this. The manual way is to wait for SSLMate to
email the new certificate to you. The email will contain a download link which you can download straight to your
server with wget or curl — no need to open an attachment, extract a Zip file, scp files around,
or do any other inconvenient nonsense. Or, you can choose the automated way with the
sslmate download command.
sslmate download downloads the latest version of a certificate from your SSLMate
account to your server. By default, it places certificates in
You can configure your web server to load its certificate from
/etc/sslmate and put
sslmate download in a cron job that runs daily. Thus, within a day of a certificate being
renewed, the renewed certificate will be automatically downloaded to your server.
uses its exit status to indicate if a new certificate was downloaded or not, and you can use this
to decide whether to restart your web server. For example:
#!/bin/sh if sslmate download www.example.com > /dev/null then service apache2 restart > /dev/null fi
To learn more, consult our documentation on renewals and downloads.