Certificates: Cannot retrieve response

fungshui · December 21, 2025, 3:11am

Upgraded from TrueNAS 25.04.2.6 to 25.10.1, the Certificates section becomes malfunction.

In 25.04.2.6:

In 25.10.1:

Import certificate using Web UI works but Older certificates cannot be deleted.

Updating with deploy_truenas.py from GitHub - danb35/deploy-freenas: Python script to automate deploying TLS certificates to TrueNAS servers resulted in the following error:

python /mnt/tank/tls/deploy-freenas/deploy_truenas.py
2025-12-21 02:04:48,581 - root - INFO - ✅ Certificate and private key match.
2025-12-21 02:04:48,593 - websocket - INFO - Websocket connected
2025-12-21 02:05:03,225 - root - INFO - Certificate ng_home-2025-12-21-020448 imported.
2025-12-21 02:05:40,853 - root - INFO - UI certificate updated to ng_home-2025-12-21-020448
2025-12-21 02:05:40,853 - root - INFO - Not setting FTP cert because ftp_enabled is false.
2025-12-21 02:05:40,854 - root - INFO - Not setting app certificates because apps_enabled is false.
Traceback (most recent call last):
  File "/mnt/tank/tls/deploy-freenas/deploy_truenas.py", line 268, in <module>
    certs = c.call("certificate.query")
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/truenas_api_client/__init__.py", line 810, in call
    return self.wait(c, callback=callback, job=job, timeout=timeout,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/truenas_api_client/__init__.py", line 857, in wait
    raise c.error
truenas_api_client.exc.ClientException: 7 validation errors for CertificateQueryResult
result.list[CertificateQueryResultItem].0.DN
  String should have at most 1024 characters [type=string_too_long, input_value="/C=GB/ST=Greater London/... IP Address:10.27.0.254", input_type=str]
    For further information visit https://errors.pydantic.dev/2.9/v/string_too_long
result.list[CertificateQueryResultItem].1.DN
  String should have at most 1024 characters [type=string_too_long, input_value="/C=GB/ST=Greater London/... IP Address:10.27.0.254", input_type=str]
    For further information visit https://errors.pydantic.dev/2.9/v/string_too_long
result.list[CertificateQueryResultItem].2.DN
  String should have at most 1024 characters [type=string_too_long, input_value="/C=GB/ST=Greater London/... IP Address:10.27.0.254", input_type=str]
    For further information visit https://errors.pydantic.dev/2.9/v/string_too_long
result.list[CertificateQueryResultItem].3.DN
  String should have at most 1024 characters [type=string_too_long, input_value="/C=GB/ST=Greater London/... IP Address:10.27.0.254", input_type=str]
    For further information visit https://errors.pydantic.dev/2.9/v/string_too_long
result.list[CertificateQueryResultItem].4.DN
  String should have at most 1024 characters [type=string_too_long, input_value="/C=GB/ST=Greater London/... IP Address:10.27.0.254", input_type=str]
    For further information visit https://errors.pydantic.dev/2.9/v/string_too_long
result.CertificateQueryResultItem
  Input should be a valid dictionary or instance of CertificateQueryResultItem [type=model_type, input_value=[{'id': 32, 'type': 8, 'n... False, 'parsed': True}], input_type=list]
    For further information visit https://errors.pydantic.dev/2.9/v/model_type
result.int
  Input should be a valid integer [type=int_type, input_value=[{'id': 32, 'type': 8, 'n... False, 'parsed': True}], input_type=list]
    For further information visit https://errors.pydantic.dev/2.9/v/int_type

*** Yes, I know. I have put all the IPs of the subnet ‘10.27.0.0’/24’ into the subjectAltName of the cert. I guess it is the reason it fails.

jjrushford · December 21, 2025, 5:32pm

FWIW, I use a split horizon DNS for my homelab. Cloudflare resolves my names for my domain when I’m on the public internet but on my private subnet I run an unbound DNS server on my opnsense router that resolves names for my domain on my LAN. I then use a wildcard cert from lets encrypt which I install in all my private services. It seems like a lot of work to put all those IP’s in the SAN field of your cert and it causes problems with so many as you’ve found out. This is just an issue with the python scripts as there is no max length limitation for the SAN field in an x509 certificate.

fungshui · December 21, 2025, 9:55pm

I understand. It’s pity.

The worst part is, there is no way to remove the problematic certificates unless I revert back to older version of boot partitions. Even worse, there is an instance that I switched from jailmaker to docker when I upgraded from 24.10 to 25.10 and I have deleted the jail partitions as everything seems working fine for months. I am not sure whether the older partitions are bootable.

I hope this bug will be fixed soon.

jjrushford · December 22, 2025, 2:59am

You’ve tried deleting the old certs using the web ui? I guess you probably see the same error?

fungshui · December 22, 2025, 12:00pm

I’d like to delete the old certs from UI or otherwise. As you can see, the module cannot even show me anything. Deleting from UI is impossible. Nor did the script deploy_truenas succeed.

neofusion · December 22, 2025, 12:32pm

Did you report it?
If you didn’t the chance of them doing anything about it are slim at best. Even then I have my doubts due to the nature of this issue.

Perhaps you can find a way to handle this using the CLI or API.

essinghigh · December 22, 2025, 2:20pm

The validation error is from Pydantic saying the String should have at most 1024 characters so it’s probably the base model config enforcing a character limit of 1024 on the cert DN. Doubt CLI/API will work well. I haven’t been following too closely recently but at a quick look, looks like this was only added as of 25.10 (941b6d97de NAS-134942 / 25.10 / Move crypto plugin API definition to pydantic (#16080))

Haven’t had a look yet but there is probably something in place for the public/private keys to allow them to be longer. Probably just also needs to be used for the DN. I’ll have a poke as these sorts of certs are technically valid so should work.

essinghigh · December 22, 2025, 2:30pm

Yup, it was as I thought.
certificate, privatekey, CSR, chain_list are all type LongString, but DN is just str.

Which picks up from the BaseModel:

class BaseModel(PydanticBaseModel, metaclass=_BaseModelMetaclass):
    model_config = ConfigDict(
        extra="forbid",
        strict=True,
        str_max_length=1024,     <-------------
        use_attribute_docstrings=True,
        arbitrary_types_allowed=True,
    )

I will raise a ticket for this. It’s a bit of an odd edge case but there’s not really any reason for it not to be supported.

fungshui · December 22, 2025, 2:39pm

Yeah, You are right. I have forgotten that.

fungshui · December 22, 2025, 2:58pm

I have tried to reduce the SAN to just the following and yet the TrueNAS 25.10.1 still fails to process the cert for showing in the WebUI.

DNS:ng.home,DNS:*.ng.home,IP Address:10.27.0.40,IP Address:10.27.0.50,IP Address:10.27.0.61,IP Address:10.27.0.194,IP Address:10.27.0.202

fungshui · December 22, 2025, 3:02pm

Thank you pal. You are brilliant!

essinghigh · December 23, 2025, 7:21pm

My PR to fix this has been merged. Should be fixed in 25.10.2 once available.

fungshui · December 23, 2025, 7:52pm

@essinghigh

You are a life saver!

Topic		Replies	Views
ACME challenge - TXT string? TrueNAS General SCALE , Networking	3	630	January 18, 2025
Certificate setup issue using UI TrueNAS General SSL	30	486	July 8, 2025
Let's Encrypt with FreeNAS 11.1 and later Resources CORE , SCALE , TLS	29	1540	October 27, 2025
Yet another SSL LetsEncrypt question TrueNAS General SSL	13	316	October 21, 2025
Managing certificates TrueNAS General	61	1486	June 22, 2025

Certificates: Cannot retrieve response

Related topics