Messages

Hi,

I have the ACME client installed, using a locally hosted CA (smallstep), the cert is renewed successfully if I manually refresh, but never triggers to automatically renew. The logs read that renewal is not required, although there is less than 1 day remaining on my cert.

Any help / pointers greatly appreciated

Cert Expiry:

Code Select Expand

Validity
Not Before
Fri, 20 Mar 2026 09:53:13 GMT
Not After
Fri, 24 Apr 2026 09:54:13 GMT
Manual refresh - OK:

Code Select Expand

2026-03-20T09:54:14
acme.sh
[Fri Mar 20 09:54:14 GMT 2026] Installing full chain to: /var/etc/acme-client/certs/691b0b09b8ce58.18644849/fullchain.pem
2026-03-20T09:54:14
acme.sh
[Fri Mar 20 09:54:14 GMT 2026] Installing key to: /var/etc/acme-client/keys/691b0b09b8ce58.18644849/private.key
2026-03-20T09:54:14
acme.sh
[Fri Mar 20 09:54:14 GMT 2026] Installing CA to: /var/etc/acme-client/certs/691b0b09b8ce58.18644849/chain.pem
2026-03-20T09:54:14
acme.sh
[Fri Mar 20 09:54:14 GMT 2026] Installing cert to: /var/etc/acme-client/certs/691b0b09b8ce58.18644849/cert.pem
2026-03-20T09:54:14
acme.sh
[Fri Mar 20 09:54:14 GMT 2026] And the full-chain cert is in: /var/etc/acme-client/cert-home/691b0b09b8ce58.18644849/opnsense.mpkc.local/fullchain.cer
2026-03-20T09:54:14
acme.sh
[Fri Mar 20 09:54:14 GMT 2026] The intermediate CA cert is in: /var/etc/acme-client/cert-home/691b0b09b8ce58.18644849/opnsense.mpkc.local/ca.cer
2026-03-20T09:54:14
acme.sh
[Fri Mar 20 09:54:14 GMT 2026] Your cert key is in: /var/etc/acme-client/cert-home/691b0b09b8ce58.18644849/opnsense.mpkc.local/opnsense.mpkc.local.key
2026-03-20T09:54:14
acme.sh
[Fri Mar 20 09:54:14 GMT 2026] Your cert is in: /var/etc/acme-client/cert-home/691b0b09b8ce58.18644849/opnsense.mpkc.local/opnsense.mpkc.local.cer
2026-03-20T09:54:14
acme.sh
[Fri Mar 20 09:54:14 GMT 2026] Cert success.
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Le_LinkCert='https://ca.mpkc.local/acme/acme/certificate/88gNu3LXl0Rw34e3zQ8TEssh92BMXQzP'
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Downloading cert.
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Le_OrderFinalize='https://ca.mpkc.local/acme/acme/order/pO5gl8eJAgmjIz3t1GebzGEKEpAiI3ii/finalize'
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Let's finalize the order.
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Verification finished, beginning signing.
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Success
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Verifying: opnsense.mpkc.local
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Getting webroot for domain='opnsense.mpkc.local'
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Single domain='opnsense.mpkc.local'
2026-03-20T09:54:13
acme.sh
[Fri Mar 20 09:54:13 GMT 2026] Using CA: https://ca.mpkc.local/acme/acme/directory
ACMEClient says "Not Required":

Code Select Expand

2026-04-23T04:12:00
opnsense
AcmeClient: issue/renewal not required for certificate: opnsense.mpkc.local
2026-04-22T04:12:00
opnsense
AcmeClient: issue/renewal not required for certificate: opnsense.mpkc.local
2026-04-21T04:12:00


Apologies for reviving a slightly older thread, but I have just updated (to 26.1.1) using the 'curl' method without issue, after failed attempts through the GUI, and using 'fetch'.

Many thanks for your help fanco, and I hope this helps other in the future.

Matt

That's great, of course just after I posted, the update worked through the GUI.  But next time I will try manually to test.

Many thanks.

For some reason (lib)fetch has issues with LTE connections. The package manager itself switched to libcurl. I assume your packages updated fine and you're left struggling with how to update the base/kernel? If so I can show you the manual commands to update (and downloading the sets with curl).


Cheers,
Franco

I'm back again as 25.7.11 has been released and I'm again failing to update over LTE.  Is there a way of downloading the binaries manually?

I do quite often have issues with the packages too (but seemingly only the larger ones {mainly Crowdsec}).  Knowing the manual command would be useful if you'd care to share.  May be of help to others on LTE connections in the future too.

Thanks,
Matt

Yes.  The only connection I can get here is via a 5G connection.  I can manually download the files fine from the distribution sites, so was wondering if I just download them and then SCP them to the correct location it will save the firewall from having to do the download.

Hi all,

I've been having repeated errors with the update process, both with packages and with the base update.  Usually after several attempts, and multiple swapping of mirrors, it finally succeeds.  Is it possible for me to manually copy the update files and signatures to the firewall?

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7.8 (amd64) at Thu Dec  4 08:30:26 GMT 2025
<snip>
Checking all packages: .......... done
Nothing to do.
Nothing to do.
Starting web GUI...done.
Fetching base-25.7.8-amd64.txz: ............ failed, signature invalid
***DONE***