Messages

Yes it is possible, but requires a little work. Once the certificate in TrueNAS etc/certificates, using the TrueNAS CLI is the easiest way to replace it.

Summary

• Generate a TrueNAS API key/SSH keypair
• Configure an ACME Automation
• Configure a cron job/script on TrueNAS to change the certificate (and restart web)

Expanded
1. Follow the documentation to generate a TrueNAS API key and generate an SSH keypair.

2. Within the ACME plugin on OPNsense, setup an Automation to run "Upload certificate to TrueNAS Core Server". This works the same for Scale.

3. Cron/script whatever you like. My one is as follows:
Daily cron
/bin/cli -c "system general update ui_certificate=$(find /etc/certificates/*.key | wc -l)" && /bin/cli -c "system general ui_restart"

run the TrueNAS CLI to update the certificate ID to the same number of files found with search context '/etc/certificates/*.key', which in my case will always be the same as intended (e.g. imported certificate 2 will also be ID 2, imported certificate 3 will be ID 3, and so on), and if that command doesn't error, then restart the web UI.

Some drawbacks on this method:

• If TrueNAS is down when the Automation runs, need to manually push again (via the Automation run).
• Web UI is restarted everyday
• This cron job won't work if TrueNAS maintains other/many certificates
• This cron job doesn't clean up expired certs (yet)

Note regarding multiple requests for the same certificate:
a couple of services independently requesting the same certificate won't hit rate limits, but if you start climbing to 5+ you might start hitting the 5 duplicate certificate/week limit. Still easily resolved for a few more services by staggering the request day.


edit:
Might not have had the Automation option when OP raised. https://github.com/opnsense/plugins/issues/3421

[c0:a8:00:01]

I had trouble understanding the instructions but now that I have it working, I wanted to help elucidate.

RFC 2132 3.8 says use option "6", minimum length is 4 octets, and length must always be a multiple of 4 [octets]. Servers should be listed in order of preference.

Convert the individual IP addresses you want with a Hex to IP converter

• e.g:
  192.168.0.1 = c0:a8:00:01
  192.168.0.2 = c0:a8:00:02
  192.168.0.3 = c0:a8:00:03
  Some tools use periods[.] instead of colons[:]. Ensure you replace any symbol with colon[:]
• In the order of server preference, concatenate the hex values together using colon[:] as the separator, e.g.
  192.168.0.1 + 192.168.0.2 + 192.168.0.3 =
  c0:a8:00:01:c0:a8:00:02:c0:a8:00:03

In the OPNsense GUI, under DHCPv4 configuration:

• Leave the GUI option for DNS Servers blank
• Expand Additional Options
• Input 6 into the Number field
• Change Type to string
• Enter the concatenated string into value, e.g. c0:a8:00:01:c0:a8:00:02:c0:a8:00:03
• Save, renew IP, check. In Windows, that would be ipconfig /renew; ipconfig /all

Troubleshooting

• In Windows, ipconfig /renew will return: "An error occured while renewing interface <your interface> : The data is invalid." if your configuration is incorrect, e.g. using multiple line entries will override with the last entry instead of giving you multiple servers.
• If you only see one address, you probably didn't clear the GUI fields, or you only entered one set of octets.
• If you want to verify the hex values we've used, split the string back into 4 octets or you'll get a 0.0.0.xx when converting the concatenated string to IP

Thanks for the assistance @xbb et al. :)