Skip to content

Instantly share code, notes, and snippets.

@SamEureka

SamEureka/README.md

Last active December 11, 2025 19:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save SamEureka/504eb35b963bb64ec20d0e94169b497e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save SamEureka/504eb35b963bb64ec20d0e94169b497e to your computer and use it in GitHub Desktop.
Download ZIP
Install Let's Encrypt certs on TrueNAS Core or SCALE using ACME.sh deploy hooks
Raw
README.md

Install Let's Encrypt certs on TrueNAS Core or SCALE using ACME.sh deploy hooks

This information was spread out on several forum posts, blogs, wikis... etc. This gist is intended to collect all that information in one place so I don't have to dig it all up again. If you find it useful please leave a comment.

pre reqs

  • You need to have a working install of TrueNAS Core or SCALE. (I prefer SCALE... it is just better)
  • All of the following commands are performed in the shell on the NAS. (zsh is my prefered shell, these will work in bash)
  • You need an api key from your DNS provider (my example is Digital Ocean) and an api key for your NAS. See official documentation for instructions on generating. (not in the scope of this gist)
  • Your own domain

Install ACME.sh (one of the best scripts ever written)

acme.sh on Github Wiki Install instructions

TL;DR

Using curl: curl https://get.acme.sh | sh -s [email protected]

Using wget: wget -O - https://get.acme.sh | sh -s [email protected]

Create your certificates

In this step you will generate a cert for your server. Stick to Let's Encrypt. ACME.sh defaults to ZeroSSL but the certs it creates did not work for me.

Presto generato!

Create a environment variable for your DNS provider API key (example is Digital Ocean)

export DO_API_KEY=yourDO-API-KEYhere

Make Let's Encrypt your default CA

acme.sh --set-default-ca --server letsencrypt

Issue the certificate

acme.sh --issue -d your.domain.here --dns dns_dgon

Deploy the cert on TrueNAS Core/SCALE Server

When I did this on the Core server there were additional steps to select the certificate for use in the gui. SCALE just did it and it worked right away. SCALE for the win!

Push it, push it real good

Create some env variables

export DEPLOY_TRUENAS_APIKEY=theAPI_KEYyouGENERATED_IN_THE_WEB_UI

The following two variables are optional and will default to the example values if you don't create them. (I always create them anyway. I have trust issues)

export DEPLOY_TRUENAS_HOSTNAME=localhost <Optional, defaults to localhost>

export DEPLOY_TRUENAS_SCHEME=http <Optional, defaults to http, set alternatively to https>

acme.sh --insecure --deploy -d your.domain.here --deploy-hook truenas

(I think if you change the SCHEME variable to https you can leave off the --insecure flag. But I am not 100% on that and I did not test it)

Conclusions and refs

If you did this on TrueNAS SCALE... you can now type in your fqdn (assuming you have taken steps for it to resolve correctly) and shit just works. I do not remember where the settings were in Core to get the Let's Encrypt cert installed as the GUI cert. I think it was in somewhere... maybe.

Enjoy life! You now have https goodness!

Refs (Notice there are not any TrueNAS refs... they only officially support CloudFlare and Route53)

@papalamg
Copy link

papalamg commented Dec 11, 2025

hallo, I need some help. When I try to do the renew I get this error:
truenas_admin@truenas22[/mnt/Tank/Tool]$ acme.sh --insecure --deploy -d '*.mydomain.de' --deploy-hook truenas_ws [Thu Dec 11 20:10:14 CET 2025] Checking environment variables... [Thu Dec 11 20:10:14 CET 2025] Environment variables: OK [Thu Dec 11 20:10:14 CET 2025] Checking TrueNAS health... Traceback (most recent call last): File "/usr/bin/midclt", line 33, in <module> sys.exit(load_entry_point('truenas-api-client==0.0.0', 'console_scripts', 'midclt')()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/truenas_api_client/__init__.py", line 1026, in main with Client(uri=args.uri) as c: ^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/truenas_api_client/__init__.py", line 101, in __init__ self.__client = client_class(uri, reserved_ports, private_methods, py_exceptions, log_py_exceptions, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/truenas_api_client/legacy.py", line 211, in __init__ self._ws.connect() File "/usr/lib/python3/dist-packages/truenas_api_client/legacy.py", line 60, in connect self.socket = connect(self.url, sockopt, proxy_info(), None)[0] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/websocket/_http.py", line 132, in connect hostname, port_from_url, resource, is_secure = parse_url(url) ^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/websocket/_url.py", line 63, in parse_url raise ValueError("scheme %s is invalid" % scheme) ValueError: scheme http is invalid [Thu Dec 11 20:10:14 CET 2025] TrueNAS is not ready. [Thu Dec 11 20:10:14 CET 2025] Please check environment variables DEPLOY_TRUENAS_APIKEY, DEPLOY_TRUENAS_HOSTNAME and DEPLOY_TRUENAS_PROTOCOL. [Thu Dec 11 20:10:14 CET 2025] Verify API key. [Thu Dec 11 20:10:14 CET 2025] Error deploying for domain: *.mydomain.de [Thu Dec 11 20:10:14 CET 2025] Error encountered while deploying.

can anyone help? I find only examples with cloud flare, but I don#t want to use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment