TrueNAS Scale 25.10 SSL webserver certificate

think · November 1, 2025, 10:29pm

Hi,

I run privatly 3x TrueNAS NAS and just installed 25.10 to one of them and wanted to c+p my default config to it. I had to find out (in comparision to 25.04), that SMART check and local CA were removed .

Since the default certificate lasts 1 year, in the past I always created a local ca and created new certificates that last 5 years. Now I can not do this anymore. I checked the wiki and found this:

Documentation Hub/TrueNAS 26.04 (Early)/TrueNAS Tutorials/Credentials/Certificates/Creating ACME Certificates

An error occurred: Sorry, you can’t include links in your posts.

I do not use Cloudflare, DigitalOcean, Amazon Route 53, or OVHcloud and all NAS are local only (no internet access, no plublic IP).

How do I get new certificates to these installations?

Thanks in advance

Michael

dan · November 1, 2025, 10:32pm

I’m sure the official answer is, “pay for a TrueNAS Connect subscription,” which (among other things) will get you a certificate for something like 192-168-1-176.cr49fa5fij885c9jhncnkquoin20d23t52an3ug.l226e8evc5ldjcspgcppqt378sj9n4btef62ojo.truenas.direct and keep it up-to-date.

If you do own a domain, move its DNS to Cloudflare for free, and use that get trusted certs that renew automatically.

Otherwise, you don’t care about certificate errors in your browser anyway, so just continue to use the default cert after it expires.

think · November 1, 2025, 10:37pm

I this also working with not having a public IP?

dan · November 1, 2025, 10:38pm

Yes. The built-in ACME cert generation in TrueNAS uses DNS validation (which is why the DNS host matters), and therefore doesn’t depend on having a public IP address or public access to your TrueNAS server (which you should never have).

think · November 1, 2025, 10:40pm

Ok thanks. I own a domain (via Strato) and maybe I can transfer the DNS control to cloudflare.

dan · November 1, 2025, 10:43pm

Another possibility is to use a different ACME client (like, e.g., acme.sh or lego) to get your cert using DNS validation with your current DNS host, and then use an automated tool to deploy it to your NAS when it renews. See:

beagle · November 4, 2025, 10:59am

If you move your domain DNS to Cloudflare, you can just follow the TrueNAS documentation to generate and automatically renew Let’s Encrypt certs:

jjrushford · November 4, 2025, 1:12pm

I have a tool that you can use to import a certificate to your TrueNAS 25.10 server. See, tnas-certdeploy. It’s written in Go but I have made available pre-compiled binaries in the latest release, tnas-certdeploy 1.3.

I use the tool to import my wildcard lets encrypt certificate to my two TrueNAS-SCALE instances. I have a VM that runs the acme scripts to keep my certs updated and I use this tool, tnas-certdeploy in an acme post install script to update my NAS machines. My domain is registered with cloudflare and I use a split horizon DNS. My public A records are with cloud flare and my private A records are under congrol of the unbound DNS server on my OpenSense router.

sard · November 6, 2025, 12:58am

Yep, thats what i did because for some reason strato still has no dns api, that would allow you to auto request lets encrypt wildcard certificates. Now my pfsense can use acme to update the wildcard if needed and provide it to the reverse proxy. Works like a charm without any manual intervention