OPNCentral: Automatic Certificate Push for WebUI not working

Started by ig-it1342, June 19, 2026, 09:45:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 19, 2026, 09:45:51 PM
Hi everyone,

recently, the update mechanism for pushing SSL certificates to OPNCentral-managed hosts from the main host seems to have stopped working.

Unfortunately, I don't precisely know which versions broke the functionality, however it is not working at least on the latest 26.4.1 patch.

The host is configured as following:

This is the certificate configured on the provisioning:

The provisioning for Web GUI is apparently complete (no new data):

However, the certificate is not set in the Web GUI config of the Host, and is nowhere to be found in the Certificate store:



Both firewalls were restarted and updated, and I manually tried to start the provisioning, but nothing happens.

No related log lines / errors are present in the system log of either firewalls.

Has anyone experienced the same issue recently?

---

Versions: Both firewalls are running


OPNsense 26.4.1-amd64
FreeBSD 14.3-RELEASE-p15
OpenSSL 3.0.21


with plugin versions

os-OPNBEcore    1.8_2
os-OPNcentral    1.12_2
June 20, 2026, 08:44:05 AM #1
Hello,

I am not sure if this is related, since the ACME client (issuing/renewing) and the OPNCentral cert push (distribution) are really separate paths – but in case it helps: after the last two updates I had ACME client trouble too (different DNS provider), which I could clear with a ,,Reset ACME Client" + ,,Renew Certificate". Probably not related to the push mechanism you're describing, though.

Cheers,
Marco
--
DEC 740 / Business Edition
Today at 03:37:25 PM #2
We checked the feature internally and it worked fine (minus the ACME-client based cert use). Not sure what's going on. The other end indicates the config is the same... perhaps the wrong node pointed to?


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Today at 05:43:01 PM #3
Hello,

okay, that is indeed strange. We double checked again all the values, and everything seems correct, however it simply does not want to push.

This is the case for all of our 8 firewalls, so the other sites also do not receive a valid certificate.

Is there maybe an internal log / view of the sync process, such that we could debug the issue further?

Thanks in advance
Today at 05:50:01 PM #4
Can you try creating a self signed certificate and push that to one of the affected opnsense firewalls? That could rule out its a generic problem or related directly to the ACME client.
Hardware:
DEC740
Print
Go Up Pages1
User actions