Confirmed, that is what I see.
FWIW, the server running the script is a Debian VM hosted on the TrueNAS itself. Not sure if that will complicate anything, especially since the REST API works without issue.
It shouldnāt. At this point I donāt know why itās failing to connect using the websocket API. I upgraded my NAS to goldeneye and Iām not having any issues with using the websocket API. You could try from another machine ie, your laptop with the appropriate client to see if that works. There are binary downloads for macOS and windows 11 if you want to try that as Iāve not tested running from a VM hosted by the NAS itself. Youāll have to put the key and cert on your laptop BTW.
when you get a chance, what happens if you use curl on your Debian VM:
root@virtualmin:~# curl -kv https://truenas.aiskon.net/api/current
* Host truenas.aiskon.net:443 was resolved.
* IPv6: (none)
* IPv4: 10.0.0.253
* Trying 10.0.0.253:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: CN=aiskon.net
* start date: Nov 9 19:17:28 2025 GMT
* expire date: Feb 7 19:17:27 2026 GMT
* issuer: C=US; O=Let's Encrypt; CN=R13
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to truenas.aiskon.net (10.0.0.253) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://truenas.aiskon.net/api/current
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: truenas.aiskon.net]
* [HTTP/2] [1] [:path: /api/current]
* [HTTP/2] [1] [user-agent: curl/8.14.1]
* [HTTP/2] [1] [accept: */*]
> GET /api/current HTTP/2
> Host: truenas.aiskon.net
> User-Agent: curl/8.14.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 400
< server: nginx
< date: Sat, 06 Dec 2025 15:03:16 GMT
< content-type: text/plain; charset=utf-8
< content-length: 66
< strict-transport-security: max-age=0; includeSubDomains; preload
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< permissions-policy: geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()
< referrer-policy: strict-origin
< x-frame-options: SAMEORIGIN
<
No WebSocket UPGRADE hdr: None
* Connection #0 to host truenas.aiskon.net left intact
Can "Upgrade" only to "WebSocket".
root@virtualmin:~#
Iām at a loss. Iām running the exact same version of tnascert-deploy, revision bea9388ca730c3320aafb3f9a9cdeeccae94020c, on a Debian 12 bookworm VM using your config file with changes to hostname and certificate file names to a TrueNAS goldeneye. Mine works just fine using the websocket API. I donāt know why youāre having trouble.
This is fixed in 2.1: