Hi,
I'm running OPNsense Business Edition 25.10.1_2 and noticed that the Community Edition already ships os-acme-client 4.11, which includes additional DNS providers (Hetzner Cloud).
On Business, the plugin is still on an older version and the provider is therefore not available.
My question:
Is there any supported way to pull os-acme-client 4.11 into the current Business release (25.10.1_2), or is this strictly tied to the Business plugin freeze and only possible with a future Business update?
You can always install the community one:
# pkg add -f https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/MINT/25.7.10/latest/All/acme.sh-3.1.2.pkg
# pkg add -f https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/MINT/25.7.10/latest/All/os-acme-client-4.11.pkg
Cheers,
Franco
Thanks Franco!
I followed your suggestion and the upgrade itself worked fine (installed the CE packages via pkg add -f and the ACME client is now on the newer version).
However, the DNS-01 flow still fails and the logs show that acme.sh is still using the old Hetzner DNS API endpoint:
it calls https://dns.hetzner.com/api/v1/zones?...
resulting in Error adding TXT record ... Invalid domain
From what I can see, the upstream acme.sh implementation for Hetzner Cloud DNS uses the new Cloud API (https://api.hetzner.cloud/v1/...) in dns_hetznercloud.sh, e.g.: https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_hetznercloud.sh
So it looks like the plugin update did not bring in the expected dns_hetznercloud behavior (or the OPNsense-packaged acme.sh dnsapi scripts differ from upstream / are not updated accordingly).
I can offer you the latest code we shipped. If that's not what you want from upstream acme.sh you need to patch the file manually because it looks like they did not release it yet?
In general it helps to get the data straight before experimenting if the change one wants is actually there.
Cheers,
Franco
Meanwhile I checked the files and the version seems the new one (that I deployed, mentioned in my last post)
It looks more like strange behaviour in the GUI / Configuration.
In the OPNsense ACME GUI, the DNS provider hetznercloud is explicitly selected. Despite that, ACME behaves like the legacy hetzner provider.
This is clearly visible in the acme.sh logs, which show usage of the legacy DNS API endpoint:
2026-01-10T22:20:58 acme.sh[Sat Jan 10 22:20:58 CET 2026]
url='https://dns.hetzner.com/api/v1/zones?name=org'
The same behavior occurs in both Business and Community editions of OPNsense.
I compared the file dns_hetznercloud.sh against the upstream version from the acme.sh GitHub repository, and it looks correct and up to date.
When hetznercloud is selected in the GUI, acme.sh should use the Hetzner Cloud DNS API via: https://api.hetzner.cloud/v1 as documented in the current Hetzner Cloud DNS API reference.
Is it possible that there is an issue in the OPNsense ACME GUI mapping, where selecting hetznercloud still triggers the legacy hetzner provider internally (or passes the wrong parameters to acme.sh)?