Messages

If you want to dive even deeper: try to query the TrueNAS API endpoint "system.ready" using `curl` and your API key. The API documentation is available here:
https://www.truenas.com/docs/api/scale_websocket_api.html
It should make the root cause more obvious, but crafting the `curl` command might be a challenge.

2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] Verify API key.
2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] Please check environment variables DEPLOY_TRUENAS_APIKEY, DEPLOY_TRUENAS_HOSTNAME and DEPLOY_TRUENAS_PROTOCOL.

If you're seeing this message, it means that os-acme-client is working perfectly fine.

This error message is raised by acme.sh when a communication error with your TrueNAS occured:
https://github.com/acmesh-official/acme.sh/blob/7735cdf3abe84bce8c1e37e7fa46c71e38606262/deploy/truenas_ws.sh#L219
This code checks the "system.ready" TrueNAS API endpoint and seems to receive an error or invalid result.

I can't give you any advice for setting up TrueNAS. Maybe you need to configure something to make the TrueNAS websocket API work.

although I'm not sure that's the problem here

This issue is unrelated to the rename hiccup. 😊

> [Mon May 4 18:02:46 CEST 2026] TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable.

I have tested this and was unable to reproduce this issue.
Please try again and provide the full ACME Log and all "AcmeClient" entries from the System Log.

See also:
https://github.com/opnsense/plugins/issues/3756

The script received an update with many bug fixes and improvements.

Hi,

I've started working on an unofficial script to convert legacy IPsec configurations to new IPsec Connections:
https://github.com/fraenki/opnsense-ipsec-converter

It will probably not work on complex configurations, but it may be a good starting point for some.
I can't spend much time on improving it, but I'll gladly review any PR. :)

Please don't ask the OPNsense developers for support when using this script. Thanks!


Ciao
- Frank

It looks like you're using a HTTP-01 challenge type in ACME. I recommend to use DNS-01, it is much more reliable.

I'm now seeing a duplicate certificate for one domain in the HAProxy Public Service Certificates, even though there is only 1 certificate for that domain in the ACME plugin list. 

os-haproxy displays all certificates from System->Trust->Certificates. You need to check this page to get more details about the duplicate certificate.

Besides that os-acme-client will also log a message if a certificate is imported into System->Trust->Certificates, so you should be able to trace this.

A hotfix is available:
https://github.com/opnsense/plugins/issues/3779#issuecomment-1917956814

Plugin maintainer here. I don't plan another overhaul of the HAProxy plugin GUI. ;D So if anyone wants to start building a documentation, yes, please go ahead. Or if you think that some information could be added to one of the "introduction" pages, please submit your suggestion on GitHub...

I may review documentation (GitHub pull requests), but I can't put any effort into writing documentation in the foreseeable future. That being said, there's some good documentation out there...

Ciao
- Frank

@fraenki, my router is headless.  Is there any other way of finding the failed on startup message logs?

AFAICT, no. If you have a serial console, you would still be able to see all boot messages...

Is there another logfile from the startup process?

AFAIK, the console messages from the "service" command are not recorded anywhere.

You may have to watch the console while during the boot process. Maybe make a video in order to not miss the HAProxy error message.


Ciao
- Frank

A related message in the log looks like this:

Code Select Expand


[1ff53fdb-8812-4a5b-bd04-04cddac2fa89] Script action failed with Command
  'configctl template reload OPNsense/HAProxy 2 > /dev/null;
  /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py sync --output json '
returned non-zero exit status 1.


This message is unrelated to HAProxy startup problems. It is the "cert_sync_bulk" action, which is either triggered by a cron job or the related GUI button.

Having that said, we need to get more information to find out why HAProxy is not starting. I'd suggest to run the following command on the OPNsense shell as user root:

Code Select Expand


service haproxy start


The output should contain hints about the startup issue.


Ciao
- Frank

os-haproxy version 3.12 will include GUI options to enable the Prometheus exporter:
https://github.com/opnsense/plugins/issues/2764#issuecomment-1287528782

Thanks for providing a test build!

Unfortunately I will not be able to test it in the upcoming weeks. Maybe someone else could test it?
Be sure to change the tunable net.inet.tcp.sack.enable back to "1" in order to see if the new build solves this issue.