Download a Certificate
sslmate download HOSTNAME
The following files will be downloaded to the configured certificate directory, overwriting existing files with the same names:
example.com.crt- the certificate
example.com.chain.crt- the certificate chain (aka intermediate cert)
example.com.chained.crt- a concatenation of the certificate and the chain, for convenience
To download more than one certificate at once, specify multiple names on the command line to
sslmate download. Pass the
--all option in lieu of hostnames to download the certificate for every key in your key directory.
Normally, you do not need to run
sslmate download because
sslmate buy downloads these files automatically. Instead,
sslmate download is intended to be placed in a cron job or a configuration management script to ensure that your servers always have the most up-to-date copy of your certificates. Thus, your can set your certificates to automatically renew and the renewed certificates will automatically propagate to your servers.
sslmate download exits with one of the following status codes:
- 0 - new certificate files were downloaded
- 10 - the current certificate files are up-to-date
- other - an error occurred
You can use this exit status in your script to determine whether to restart services that use the certificate.
Example Cron Job
The following script could be placed in a file in
/etc/cron.daily (make sure the script is executable):
if sslmate download --all > /dev/null
service apache2 restart > /dev/null
Every day, this script will attempt to download new certificates for every key in your key directory. If new certificates are downloaded, Apache will be restarted. For this to work, Apache must refer to the certificate files with their standard names in the SSLMate certificate directory (
/etc/sslmate by default).
sslmate download from a cron job, you must have a
/etc/sslmate.conf configuration file containing your SSLMate API credentials. Note that
sslmate might not read your
/root/.sslmate file when run from cron, although you can force it to do so by adding
export SSLMATE_CONFIG=/root/.sslmate to the beginning of your script.