26.1.7_2: issue with ACME client automation upload to TrueNAS websocket API

Started by Rene78, May 04, 2026, 07:31:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 04, 2026, 07:31:11 PM
Hi,

I have a working ACME client setup with a wildcard Let's Encrypt certificate for my domain. Also have a working nginx based reverse proxy to three services. Those services are running on a TrueNAS SCALE 25.10.3 (latest patch) system.

While all https access to the services is working fine through nginx with A+ trusted HTTPS (reverse proxy handles upstream stuff on the LAN to TrueNAS) the services on the TrueNAS system still use selfsigned certs from the TrueNAS box.

Now, while not essential (I trust my home lan ;-)) I am trying to get the whole certificate chain proper. Just a hobby thing.

Therefore I made an API key (root) on my TrueNAS and created the automation in the ACME client. Used the websocket (not deprecated one). Filled in all the fields, which are self explanatory. Reran the automations from the commands in OPNsense but the upload errors out.

[Mon May 4 18:02:46 CEST 2026] TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable.

I tried all automation modes (none, ws and wss) but error remains. The API key is really in the appropriate field. The plugin however does not seem to set the value from the field in the environment variable.

I am a little at hand (no ssh) from my phone currently so no CLI attempt possible.

Anybody recognize this? Seems a bug...


May 05, 2026, 01:02:05 PM #1
It will be fixed on the next version. You can use the deprecated until then. Truenas 26+ deprecates it.
May 05, 2026, 01:32:05 PM #2
There was an unintended issue with our merge tooling (on a case insensitive file system) that ended up in the file not being renamed correctly although I'm not sure that's the problem here:

https://github.com/opnsense/plugins/commit/251c7a5e93

It was since hotfixed but perhaps it needs a reinstall if you caught the other version:

# opnsense-revert os-acme-client

Could be unrelated, though.


Cheers,
Franco
May 05, 2026, 01:59:14 PM #3 Last Edit: May 05, 2026, 02:00:54 PM by fraenki
Quotealthough I'm not sure that's the problem here

This issue is unrelated to the rename hiccup. 😊

Quote> [Mon May 4 18:02:46 CEST 2026] TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable.

I have tested this and was unable to reproduce this issue.
Please try again and provide the full ACME Log and all "AcmeClient" entries from the System Log.
May 05, 2026, 07:16:09 PM #4

QuoteI have tested this and was unable to reproduce this issue.
Please try again and provide the full ACME Log and all "AcmeClient" entries from the System Log.

I can do this when I have computer access again in a few days.

However, sopex mentions it will be fixed in the next version.... This indicates bug...

Maybe the setenv variable had been set in your case earlier and therefore it works? Is that possible?

Regardless, i'll dig into it in a few days time and help out isolating any issue. Thanks


May 05, 2026, 07:27:27 PM #5
Quote from: Rene78 on May 05, 2026, 07:16:09 PMHowever, sopex mentions it will be fixed in the next version.... This indicates bug...


I made the truenas websocket addition and it was working, but then there were some complications with the naming conventions that fraenki fixed.

So I jumped the gun, and thought something broke there.

But if Frankie says it's not that, he is correct.
May 05, 2026, 07:59:26 PM #6 Last Edit: May 05, 2026, 09:46:34 PM by Rene78
QuoteBut if Frankie says it's not that, he is correct.

Copy all. I'll try and get all the logs on the forum asap.
May 05, 2026, 09:30:22 PM #7
OK... So, I flicked open my iPad and tried again, as suggested.

Firstly I tested the deprecated API system. That worked as expected when filling in the values and with a new API-key. Used the HTTPS scheme and it exported the certificate as it should. No errors. Ohh, and leaving out the "X-" integer index does break the API and generated an API key error. Tested both, so answered my own question.

ACME log working:
2026-05-05T20:59:25acme.sh [Tue May 5 20:59:25 CEST 2026] Success
2026-05-05T20:59:25acme.sh [Tue May 5 20:59:25 CEST 2026] Reloading TrueNAS web UI
2026-05-05T20:59:25acme.sh [Tue May 5 20:59:25 CEST 2026] Deleting old certificate
2026-05-05T20:59:25acme.sh [Tue May 5 20:59:25 CEST 2026] FTP certificate is not configured or is not the same as TrueNAS web UI
2026-05-05T20:59:24acme.sh [Tue May 5 20:59:24 CEST 2026] Checking if FTP certificate is the same as the TrueNAS web UI
2026-05-05T20:59:24acme.sh [Tue May 5 20:59:24 CEST 2026] S3 certificate is not configured or is not the same as TrueNAS web UI
2026-05-05T20:59:24acme.sh [Tue May 5 20:59:24 CEST 2026] Checking if S3 certificate is the same as the TrueNAS web UI
2026-05-05T20:59:24acme.sh [Tue May 5 20:59:24 CEST 2026] WebDAV certificate is not configured or is not the same as TrueNAS web UI
2026-05-05T20:59:24acme.sh [Tue May 5 20:59:24 CEST 2026] Checking if WebDAV certificate is the same as the TrueNAS web UI
2026-05-05T20:59:24acme.sh [Tue May 5 20:59:24 CEST 2026] Current activate certificate ID: 5
2026-05-05T20:59:24acme.sh [Tue May 5 20:59:24 CEST 2026] Fetching list of installed certificates
2026-05-05T20:59:21acme.sh [Tue May 5 20:59:21 CEST 2026] Uploading new certificate to TrueNAS
2026-05-05T20:59:20acme.sh [Tue May 5 20:59:20 CEST 2026] Getting current active certificate from TrueNAS
2026-05-05T20:59:20acme.sh [Tue May 5 20:59:20 CEST 2026] Detected TrueNAS system version: unknown
2026-05-05T20:59:20acme.sh [Tue May 5 20:59:20 CEST 2026] Detected TrueNAS system os: unknown
2026-05-05T20:59:20acme.sh [Tue May 5 20:59:20 CEST 2026] Getting TrueNAS version
2026-05-05T20:59:20acme.sh [Tue May 5 20:59:20 CEST 2026] TrueNAS system state: "READY".
2026-05-05T20:59:20acme.sh [Tue May 5 20:59:20 CEST 2026] Testing Connection TrueNAS

Knowing that the deprecated API HTTPS scheme works gives confidence in the input fields. Using the same API key, but now with the websocket (ws, wss, none) results in a different error now. The environment variables seem OK, but it is 100% the same API key that works in HTTPS scheme. I cloned the working HTTPS one. And double checked.

The ACME log:
2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] Error encountered while deploying.
2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] Error deploying for domain: *.<REDACTED>.nl
2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] Verify API key.
2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] Please check environment variables DEPLOY_TRUENAS_APIKEY, DEPLOY_TRUENAS_HOSTNAME and DEPLOY_TRUENAS_PROTOCOL.
2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] TrueNAS is not ready.
2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] Checking TrueNAS health...
2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] Environment variables: OK
2026-05-05T21:12:22acme.sh [Tue May 5 21:12:22 CEST 2026] Checking environment variables...

System log in ACME client:
2026-05-05T21:12:22opnsense AcmeClient: running acme.sh deploy hook failed (acme_truenas_ws)
2026-05-05T21:12:22opnsense AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --deploy --syslog 6 --log-level 1 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/67e6acd371dce3.58753914' --certpath '/var/etc/acme-client/certs/67e6acd371dce3.58753914/cert.pem' --keypath '/var/etc/acme-client/keys/67e6acd371dce3.58753914/private.key' --capath '/var/etc/acme-client/certs/67e6acd371dce3.58753914/chain.pem' --fullchainpath '/var/etc/acme-client/certs/67e6acd371dce3.58753914/fullchain.pem' --domain '*.<REDACTED>.nl' --ecc --deploy-hook truenas_ws --insecure'
2026-05-05T21:12:22opnsense AcmeClient: running automation (acme.sh): TrueNAS-export
2026-05-05T21:12:22opnsense AcmeClient: running automations for certificate: *.<REDACTED>.nl

Yesterday the ACME logs were different doing the same. Does this has something to do with setenv being done once (at the HTTPS scheme that worked) and that the system now has an API key but with older value..? I tested the old scheme first today to check my understanding before retrying the Websocket with new key. So, initialization thing?

AMCE logs yesterday:
2026-05-04T20:48:12acme.sh [Mon May 4 20:48:12 CEST 2026] Error encountered while deploying.
2026-05-04T20:48:12acme.sh [Mon May 4 20:48:12 CEST 2026] Error deploying for domain: *.<REDACTED>.nl
2026-05-04T20:48:12acme.sh [Mon May 4 20:48:12 CEST 2026] TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable.
2026-05-04T20:48:12acme.sh [Mon May 4 20:48:12 CEST 2026] Checking environment variables...

System logs yesterday:
2026-05-04T20:48:12opnsense AcmeClient: running acme.sh deploy hook failed (acme_truenas_ws)
2026-05-04T20:48:12opnsense AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --deploy --syslog 6 --log-level 1 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/67e6acd371dce3.58753914' --certpath '/var/etc/acme-client/certs/67e6acd371dce3.58753914/cert.pem' --keypath '/var/etc/acme-client/keys/67e6acd371dce3.58753914/private.key' --capath '/var/etc/acme-client/certs/67e6acd371dce3.58753914/chain.pem' --fullchainpath '/var/etc/acme-client/certs/67e6acd371dce3.58753914/fullchain.pem' --domain '*.<REDACTED>.nl' --ecc --deploy-hook truenas_ws --insecure'
2026-05-04T20:48:12opnsense AcmeClient: running automation (acme.sh): TrueNAS_cert
2026-05-04T20:48:12opnsense AcmeClient: running automations for certificate: *.<REDACTED>.nl
Print
Go Up Pages1
User actions