TrueNAS Scale 25.10 SSL webserver certificate

Hi,

I run privatly 3x TrueNAS NAS and just installed 25.10 to one of them and wanted to c+p my default config to it. I had to find out (in comparision to 25.04), that SMART check and local CA were removed .

Since the default certificate lasts 1 year, in the past I always created a local ca and created new certificates that last 5 years. Now I can not do this anymore. I checked the wiki and found this:

Documentation Hub/TrueNAS 26.04 (Early)/TrueNAS Tutorials/Credentials/Certificates/Creating ACME Certificates

An error occurred: Sorry, you can’t include links in your posts.

I do not use Cloudflare, DigitalOcean, Amazon Route 53, or OVHcloud and all NAS are local only (no internet access, no plublic IP).

How do I get new certificates to these installations?

Thanks in advance

Michael

I’m sure the official answer is, “pay for a TrueNAS Connect subscription,” which (among other things) will get you a certificate for something like 192-168-1-176.cr49fa5fij885c9jhncnkquoin20d23t52an3ug.l226e8evc5ldjcspgcppqt378sj9n4btef62ojo.truenas.direct and keep it up-to-date.

If you do own a domain, move its DNS to Cloudflare for free, and use that get trusted certs that renew automatically.

Otherwise, you don’t care about certificate errors in your browser anyway, so just continue to use the default cert after it expires.

I this also working with not having a public IP?

Yes. The built-in ACME cert generation in TrueNAS uses DNS validation (which is why the DNS host matters), and therefore doesn’t depend on having a public IP address or public access to your TrueNAS server (which you should never have).

Ok thanks. I own a domain (via Strato) and maybe I can transfer the DNS control to cloudflare.

Another possibility is to use a different ACME client (like, e.g., acme.sh or lego) to get your cert using DNS validation with your current DNS host, and then use an automated tool to deploy it to your NAS when it renews. See:

If you move your domain DNS to Cloudflare, you can just follow the TrueNAS documentation to generate and automatically renew Let’s Encrypt certs:

I have a tool that you can use to import a certificate to your TrueNAS 25.10 server. See, tnas-certdeploy. It’s written in Go but I have made available pre-compiled binaries in the latest release, tnas-certdeploy 1.3.

I use the tool to import my wildcard lets encrypt certificate to my two TrueNAS-SCALE instances. I have a VM that runs the acme scripts to keep my certs updated and I use this tool, tnas-certdeploy in an acme post install script to update my NAS machines. My domain is registered with cloudflare and I use a split horizon DNS. My public A records are with cloud flare and my private A records are under congrol of the unbound DNS server on my OpenSense router.

Yep, thats what i did because for some reason strato still has no dns api, that would allow you to auto request lets encrypt wildcard certificates. Now my pfsense can use acme to update the wildcard if needed and provide it to the reverse proxy. Works like a charm without any manual intervention

Okay okay okay.

I got that working…

But for the Cert I need a valid TDL.

So do I have to create a fantasy Truenas.Domain.TDL? Because truenas.local and 192.168.1.10 got rejected.

Then how do I access my NAS as always via IP? Doesn’t that still triggert Cert Error all the times?

I don’t know what you mean by “fantasy” here, but you’d create local DNS records pointing to your NAS. So if you own example.com, you’d go to whatever device is providing DNS for your LAN (your router, a Pi-Hole/AdGuard Home installation, your own instance of BIND, whatever) and create a DNS record for truenas.lan.example.com pointing to your NAS.

You’d then create a cert for truenas.lan.example.com, or maybe *.lan.example.com if you’re planning on using that cert for other apps as well.

Indeed they do; you can’t get a public cert for private identifiers.

You don’t; you access it via FQDN. Because yes, accessing via the IP will give you cert errors.