Issues setting up acme.sh

advisorgee · June 21, 2026, 5:18pm

Can you share your script? I am also with EasyDNS and am struggling with this.

seanm · June 22, 2026, 3:51pm

Here’s my internal docs, suitably redacted. Some steps are not strictly necessary, just part of our general policy/preferences.

Certificates

Create ZFS dataset

Create a ZFS DataSet named acme to host the installation of acme.sh and our custom script.

In DataSets, click “Add DataSet”, populate with:

Parent Path: MyPool
Name: acme
Dataset Preset: generic

Under ‘advanced options’, change ‘Compression Level’ to ‘ZSTD-3’.

After creation, back in DataSets, select the acme dataset then click “Edit” in the ‘Permissions’ section. Change the owner and group from root to admin and enable the two ‘apply’ checkboxes. No need for recursive since the dataset is empty.

Create custom ACME DNS-authenticator shell script

Download latest acme.sh release from https://github.com/acmesh-official/acme.sh/releases

cd /mnt/MyPool/acme
curl -L -O https://github.com/acmesh-official/acme.sh/archive/refs/tags/3.1.3.tar.gz
tar -xvzf 3.1.3.tar.gz
mv acme.sh-3.1.3/ acme.sh

We don’t want to invoke acme.sh --install as we ordinarily would, because we won’t be invoking acme.sh directly, nor use its cron jobs. Our custom script will instead source it and use some of its functions.

Next create our own script:

touch /mnt/MyPool/acme/acme-shell-auth.sh
chmod 700 /mnt/MyPool/acme/acme-shell-auth.sh

with contents (except add real EASYDNS_Key value!):

#!/bin/bash

### VARIABLES
# Logfile
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
LOGFILE="${SCRIPT_DIR}/acme-shell-auth.log"

# Source acmesh scripts
export USER_AGENT='acme.sh-truenas'
export ACME_FOLDER="${SCRIPT_DIR}/acme.sh" # Change this path to reflect your environment
export ACME_DNSAPI="${ACME_FOLDER}/dnsapi"
export PROVIDER="dns_easydns" # Find provider script in 'dnsapi' folder (without .sh extension)
source "${ACME_FOLDER}/acme.sh" > /dev/null 2>&1
source "${ACME_DNSAPI}/${PROVIDER}.sh" > /dev/null 2>&1

# DNS API authentication. See details for your provider https://github.com/acmesh-official/acme.sh/wiki/dnsapi
export EASYDNS_Key="apiXXXXXXXXXXXXXXXXX"
export EASYDNS_Token="token-my-domain"

### FUNCTIONS
_log_output() {
        echo `date "+[%a %b %d %H:%M:%S %Z %Y]"`" $1" >> ${LOGFILE}
}

### MAIN
_log_output "INFO Script started with params: $1 $2 $3 $4"

# File/folder validation
if [ ! -d "${ACME_FOLDER}" ]; then
        _log_output "ERROR Invalid acme folder: ${ACME_FOLDER}"
        return 1
fi
if [ ! -f "${LOGFILE}" ]; then
        touch "${LOGFILE}"
        chmod 500 "${LOGFILE}"
fi

# Main
if [ "${1}" == "set" ]; then
        ${PROVIDER}_add "${3}" "${4}" >> ${LOGFILE} 2>/dev/null
elif [ "${1}" == "unset" ]; then
        ${PROVIDER}_rm "${3}" "${4}" >> ${LOGFILE} 2>/dev/null
fi

_log_output "INFO Script finished."

Note that the above script sources acme.sh and acme.sh/dnsapi/dns_easydns.sh then directly invokes functions (dns_easydns_add and dns_easydns_rm) from the latter. This is because all TrueNAS needs from our script is to add (then remove) TXT records from public DNS, it does the rest.

Add custom ACME DNS-authenticator

In Credentials > Certificates > ACME DNS-Authenticators, click “Add”.

Populate with:

Name: acme-easydns
Authenticator: shell
Script: /mnt/MyPool/acme/acme-shell-auth.sh
User: truenas_admin
Timeout: empty (will default to 60)
Delay: empty (will default to 60)

Create certificate signing request (CSR)

General instructions: https://www.truenas.com/docs/scale/scaletutorials/credentials/certificates/addcsrsscale/

In Credentials > Certificates > Certificate Signing Requests, click “Add”.

Populate with:

Name: acme-easydns-csr
Type: Certificate Signing Request
Profile: HTTPS ECC Certificate
Country: Canada
State: Quebec
Locality: Montreal
Organization: MyDomain Inc.
Email: email@my-domain.com
Common name: my-host.my-domain.com
Subject Alternative Name: my-host.my-domain.com

Create actual certificate

In Credentials > Certificates > Certificate Signing Requests, click the wrench icon.

Populate with:

Identifier: MyDomain-Cert
Term of service: checked
ACME Server Directory URI: Let’s Encrypt Production
Domains: click popups and choose acme-easydns

Make sure the firewall allows outgoing connection to EasyDNS and Let’s Encrypt.

Apply certificate

In System > General Settings > GUI, edit the settings and change GUI SSL Certificate to MyDomain-Cert.

References

This was figured out mostly from:

https://forums.truenas.com/t/issues-setting-up-acme-sh/47869/5

https://www.truenas.com/community/threads/howto-acme-dns-authenticator-shell-script-using-acmesh-project.107252/

https://www.youtube.com/watch?v=TJ5fDiDRcbU&t=99s

Topic		Replies	Views
Certificate setup issue using UI TrueNAS General SSL	30	553	July 8, 2025
403 Forbidden when deploying certificates with deploy_freenas or acme.sh deploy hook TrueNAS General SCALE	3	237	November 29, 2024
LetsEncrypt ssl cert distribution tips? TrueNAS General	35	814	March 10, 2025
[Not Accepted] Support local ACME providers without dns challenges Feature Requests	18	805	October 15, 2025
ACME DNS-Authenticator scripts TrueNAS General	5	403	November 6, 2025

Issues setting up acme.sh

Certificates

Create ZFS dataset

Create custom ACME DNS-authenticator shell script

Add custom ACME DNS-authenticator

Create certificate signing request (CSR)

Create actual certificate

Apply certificate

References

Related topics