Auto-Renew SSL for SafeLine WAF Using DNS Challenge

#webdev #ssl #safeline #waf

Tired of manually renewing your SSL certificates every 90 days?

Cloud providers have reduced the validity of their free SSL certs from 1 year to just 3 months. While SafeLine WAF supports Let's Encrypt out of the box, it lacks automatic renewal. That’s where this automation tool comes in—saving you time and reducing downtime.

🔧 What This Tool Does

This Go-based utility automatically renews your SafeLine SSL certificates using Let's Encrypt’s DNS-01 challenge. It supports several major DNS providers out of the box:

Tencent Cloud
Aliyun (Alibaba Cloud)
Huawei Cloud
West.cn
Rainyun

Don’t see your DNS provider? Leave a comment on the GitHub repo—the author is open to adding more.

GitHub: https://github.com/Wink541/SafelineAPI

Mirror (Gitea): https://gitea.doicat.com/duoduo/SafelineAPI

🚀 Getting Started

1. Clone the Repo

git clone https://github.com/Wink541/SafelineAPI
cd SafelineAPI

2. Build the Binary

go build -o safelineApi ./cmd/safelineApi/main.go

# Optional: cross-compile for your platform
go env -w GOOS=linux    # Options: linux / windows / darwin
go env -w GOARCH=amd64  # Options: amd64 / arm64

3. Edit Config File

Create a config.json with the following structure:

{
  "SafeLine": {
    "Host": {
      "HostName": "192.168.1.4",
      "Port": "1443"
    },
    "ApiToken": "your-safeline-token"
  },
  "ApplyCert": {
    "Days": 30,
    "Email": "your@email.com",
    "SavePath": "/tmp/ssl",
    "DNSProviderConfig": {
      "DNSProvider": "TencentCloud",
      "TencentCloud": {
        "SecretId": "your-id",
        "SecretKey": "your-key"
      },
      "AliCloud": {
        "AccessKeyId": "your-id",
        "AccessKeySecret": "your-secret"
      },
      "HuaweiCloud": {
        "AccessKeyId": "your-id",
        "Region": "cn-east-2",
        "SecretAccessKey": "your-key"
      },
      "WestCN": {
        "Username": "your-username",
        "Password": "your-password"
      },
      "RainYun": {
        "ApiKey": "your-api-key"
      }
    }
  }
}

4. Run the Tool

./safelineApi ./config.json

5. (Optional) Add a Cron Job

To automate renewal every month:

0 0 1,31 * * root /opt/safelineApi/safelineApi /opt/safelineApi/config.json > /opt/safelineApi/app.log

🧪 Example Output

Before execution:

Certificates close to expiry (under 90 days)

Log output after running the tool:

[SUCCESS] 2025/04/15 21:36:07 SafeLine config validated!
[INFO]    2025/04/15 21:36:08 Starting certificate renewal...
[INFO]    2025/04/15 21:36:10 Using DNS-01 challenge for domain [www.doicat.com]
[INFO]    2025/04/15 21:36:14 DNS record propagation successful
[SUCCESS] 2025/04/15 21:36:43 Certificate for [www.doicat.com] updated!

After execution:

Certificates renewed successfully ✅

✍️ Final Thoughts

This simple Go tool solves a real-world pain: automating SSL renewals for SafeLine WAF. If you’re tired of getting those “certificate expired” warnings, this tool’s for you.

The project is still evolving—feel free to contribute or suggest improvements on GitHub!

Top comments (1)

Furqan Hamid • May 29 • Edited

I’ve been struggling with manually renewing SSL certificates every few months on SafeLine WAF. While it supports Let’s Encrypt, the lack of auto-renewal has caused unnecessary downtime. This Go-based tool using DNS-01 challenge truly helped me to simplify and automate the process for this loungewear based website. Thanks for this valueable work.