Acme.sh and deploying a certificate

Hallo,

i installed acme.sh on my truenas system, and somehow I got a certificate.

This was on a version before 25.10.01

Now I am on truenas 25.10.0.1 and acme.sh 3.1.3

But now I must renew my certificate, and this does not work.

renew all works fine, but now I have to import the certificate

truenas_admin@truenas22[/mnt/Tank/Tool/script/deploy-truenas]$ acme.sh --renew-all                                                                                        
[Thu Dec 11 20:49:40 CET 2025] Renewing: '*.lang-w.de'
[Thu Dec 11 20:49:40 CET 2025] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu Dec 11 20:49:40 CET 2025] Skipping. Next renewal time is: 2026-02-07T19:43:58Z
[Thu Dec 11 20:49:40 CET 2025] Add '--force' to force renewal.
[Thu Dec 11 20:49:40 CET 2025] Skipped *.lang-w.de
[Thu Dec 11 20:49:40 CET 2025] Renewing: '*.lang-w.de'
[Thu Dec 11 20:49:40 CET 2025] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu Dec 11 20:49:40 CET 2025] Skipping. Next renewal time is: 2026-02-08T18:08:17Z
[Thu Dec 11 20:49:40 CET 2025] Add '--force' to force renewal.
[Thu Dec 11 20:49:40 CET 2025] Skipped *.lang-w.de_ecc

I run weekly /mnt/Tank/Tool/script/.acme.sh/acme.sh --cron, but this also does not deploy the certificate.

Now I read something about -acme.sh –deploy-hook truenas_ws

But how to use it?

truenas_admin@truenas22[/mnt/Tank/Tool/script/deploy-truenas]$ acme.sh --insecure --deploy -d '*.lang-w.de' --deploy-hook truenas_ws                              
[Thu Dec 11 20:55:48 CET 2025] Checking environment variables...
[Thu Dec 11 20:55:48 CET 2025] TrueNAS protocol not set. Using 'ws'.
[Thu Dec 11 20:55:48 CET 2025] Environment variables: OK
[Thu Dec 11 20:55:48 CET 2025] Checking TrueNAS health...
Websocket client error: ValueError('scheme https is invalid')
Traceback (most recent call last):
  File "/usr/bin/midclt", line 33, in <module>
    sys.exit(load_entry_point('truenas-api-client==0.0.0', 'console_scripts', 'midclt')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/truenas_api_client/__init__.py", line 1026, in main
    with Client(uri=args.uri) as c:
         ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/truenas_api_client/__init__.py", line 101, in __init__
    self.__client = client_class(uri, reserved_ports, private_methods, py_exceptions, log_py_exceptions,
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/truenas_api_client/legacy.py", line 216, in __init__
    raise ClientException(self._connection_error)
truenas_api_client.exc.ClientException: WebSocket connection closed with code=None, reason=None
[Thu Dec 11 20:55:48 CET 2025] TrueNAS is not ready.
[Thu Dec 11 20:55:48 CET 2025] Please check environment variables DEPLOY_TRUENAS_APIKEY, DEPLOY_TRUENAS_HOSTNAME and DEPLOY_TRUENAS_PROTOCOL.
[Thu Dec 11 20:55:48 CET 2025] Verify API key.
[Thu Dec 11 20:55:48 CET 2025] Error deploying for domain: *.lang-w.de
[Thu Dec 11 20:55:48 CET 2025] Error encountered while deploying.
truenas_admin@truenas22[/mnt/Tank/Tool/script/deploy-truenas]$ 

can anyone help?

Short answer: check the acme.sh docs. But it’d be something like acme.sh --install-cert -d '*.lang-w.de' --deploy-hook truenas_ws.

Or you can use my script:

Or tnascert-deploy:

Peter, See my sample-scripts directory at tnascert-deploy It may be helpful to you in using either tool, @dan deploy-freenas or tnascert-deploy

Hi Peter
I am having the same problem.
I don’t really understand why the TrueNAS ACME implementation is so needlessly complicated? Maybe they just assume that everyone uses cloudflare?

As a comparison, here is how it is implemented in Proxmox.

image1116×504 29.2 KB

That is it. So simple.

Proxmox also offers way more providers, from 1984hosting to zonomi. My guess is just every provider implemented into ACME.

image1130×882 68.4 KB

I really don’t understand why TrueNAS implementation is so complicated and at the same time so limited

To drive people to TrueNAS Connect, apparently. Proxmox isn’t exactly a shining beacon of sanity in this regard, but it’s worlds better than TrueNAS has ever been. I’ve never seen an ACME client implementation anywhere near as user-hostile as that in TrueNAS.

I agree, OPNsense is doing it even simpler than Proxmox:

image1810×1124 122 KB

The current TrueNAS implementation feels insane compared to that.
Sorry @Peter for hijacking your thread to rant. The frustrating part IMHO is that nobody seems to care, which makes me feel like I am the only one and I am the one going insane

Thank you for bringing it up!

This is pretty much why I run my ACME client on my FreeBSD web server VM. I then deploy my wildcard cert from there to various other web apps that I use including TrueNAS with the deployment hook.

one small success:

I disabled http → https redirection and then it worked a little bit:

truenas_admin@truenas22[~]$ acme.sh --insecure --deploy -d '*.lang-w.de' --deploy-hook truenas_ws                          
[Fri Dec 12 20:55:35 CET 2025] Checking environment variables...
[Fri Dec 12 20:55:35 CET 2025] TrueNAS protocol not set. Using 'ws'.
[Fri Dec 12 20:55:35 CET 2025] Environment variables: OK
[Fri Dec 12 20:55:35 CET 2025] Checking TrueNAS health...
[Fri Dec 12 20:55:43 CET 2025] TrueNAS health: OK
[Fri Dec 12 20:55:43 CET 2025] Gather system info...
[Fri Dec 12 20:55:43 CET 2025] TrueNAS version: 25.10.0.1
[Fri Dec 12 20:55:43 CET 2025] Gather current WebUI certificate...
[Fri Dec 12 20:55:44 CET 2025] Current WebUI certificate ID: 4
[Fri Dec 12 20:55:44 CET 2025] Current WebUI certificate name: Letsencrypt_2025-09-14_072039
[Fri Dec 12 20:55:44 CET 2025] Upload new certificate...
[Fri Dec 12 20:55:44 CET 2025] New WebUI certificate name: acme_20251212_195544
[Fri Dec 12 20:55:45 CET 2025] Trying to upload new certificate...
[Fri Dec 12 20:55:45 CET 2025] New certificate ID: 5
[Fri Dec 12 20:55:45 CET 2025] Replace FTP certificate...
[Fri Dec 12 20:55:46 CET 2025] Replace app certificates...
[Fri Dec 12 20:55:47 CET 2025] Checking app portainer...
[Fri Dec 12 20:55:48 CET 2025] App has certificate option, setup new certificate...
[Fri Dec 12 20:55:48 CET 2025] App will be redeployed after updating the certificate.
[Fri Dec 12 20:55:56 CET 2025] App certificate replaced.
[Fri Dec 12 20:55:56 CET 2025] Checking app paperless-ngx...
[Fri Dec 12 20:55:56 CET 2025] App has no certificate option, skipping...
[Fri Dec 12 20:55:56 CET 2025] Checking app next...
[Fri Dec 12 20:55:57 CET 2025] App has certificate option, setup new certificate...
[Fri Dec 12 20:55:57 CET 2025] App will be redeployed after updating the certificate.
parse error: Invalid numeric literal at line 1, column 7
parse error: Invalid numeric literal at line 1, column 7
parse error: Invalid numeric literal at line 1, column 7
[Fri Dec 12 20:56:36 CET 2025] Job 29613 failed:
[Fri Dec 12 20:56:36 CET 2025] 
[Fri Dec 12 20:56:36 CET 2025] Error deploying for domain: *.lang-w.de
[Fri Dec 12 20:56:36 CET 2025] Error encountered while deploying.
truenas_admin@truenas22[~]$ 

now I see the old and a new certificate in the WebUI.

But I have to select the new certificate, this is not done automatically.

In my App Nextcloud the certificate changed automatically.

But I don’t want to do this procedure every few months by hand. It should work automatically. And I enabled again the redirect http→https.

I tried also the deploy script from dan (yesterday) but here it results also in an error. Now my system is working again, and I don’t want to make additional experiments.
Perhaps I should work with proxmox, because Nextcloud is also not working with all features. Since months I try to get synchronisation of calendar and adressbook with my Mac and iOS devices. Here I have problems with redirect. It is too high for me, I like to test and check some things, but I can’t find a solution.

the setup of acme.sh to get a certificate was relatively easy, but the steps behind are too high for me.