bg-tutorials

How to Install an ACME SSL Certificate on TrueNAS

This guide shows how to install an ACME SSL Certificate on TrueNAS using an external host and EAB (External Account Binding). It’s compatible with both TrueNAS CORE and TrueNAS SCALE.

TrueNAS ACME SSL

TrueNAS has native ACME support, but only for Let’s Encrypt through its built-in DNS-01 integration. If you want to use a commercial ACME provider (Sectigo, DigiCert, etc) with ACME + EAB, you must generate and renew your certificate externally using an ACME client such as acme.sh, then deploy it into TrueNAS.


Before You Start

Here’s what you’ll need:

  • A domain name pointing to your TrueNAS public IP (e.g., nas.example.com)
  • TrueNAS CORE 13.x or TrueNAS SCALE 23.x+
  • An external Linux/BSD machine, VPS, or home server (for running acme.sh)
  • ACME Directory URL, EAB Key ID, and EAB HMAC from your commercial CA
  • SSH access to TrueNAS if you plan to automate syncing

Note: TrueNAS does NOT support arbitrary ACME providers in its UI. All commercial ACME automation must happen outside TrueNAS.


Step 1: Install acme.sh on Your External Host

This machine will handle ACME account registration, issuance, and renewals.

Run:

curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --version

If the version prints correctly, you’re good.


Step 2: Register Your ACME Account with Your Commercial CA (ACME + EAB)

Your CA dashboard will provide:

  • EAB Key ID
  • EAB HMAC Key
  • ACME Directory URL

Register your ACME account:

acme.sh --register-account \
  --server https://acme.yourca.com/v2/acme \
  --eab-kid YOUR_EAB_KID \
  --eab-hmac-key YOUR_EAB_HMAC_KEY \
  --accountemail [email protected]

Replace values with your own. You only run this once.


Step 3: Issue the Certificate (DNS-01 Validation Required)

TrueNAS is almost always behind NAT, so DNS validation is the safest.

Here’s a manaul DNS example:

acme.sh --issue \
  -d nas.example.com \
  --dns dns_manual \
  --server https://acme.yourca.com/v2/acme

acme.sh will tell you to create a TXT record:

_acme-challenge.nas.example.com   TXT   <token>

Create the TXT record in your DNS manager and wait for propagation.

Check propagation:

dig TXT _acme-challenge.nas.example.com +short

Once the token appears, re-run the same command and acme.sh will finish issuing the certificate. Your files will be saved at ~/.acme.sh/nas.example.com/.

Inside you’ll find:

  • fullchain.cer: server cert + intermediate
  • nas.example.com.key: private key
  • ca.cer: CA chain (if provided separately)

Step 4: Import the Certificate into TrueNAS

  1. Go to: TrueNAS UI > System > Certificates
  2. Click Add and select Import Certificate
  3. Upload your certificate files and click Save

Assign the certificate to your services:

  • Web UI
  • SMB / NFS services (if applicable)
  • Middleware APIs
  • Reverse proxies or apps using HTTPS (TrueNAS SCALE)

Step 5: Automate Renewal and Deployment

TrueNAS does not auto-pull certificates. You must push renewed certificates into TrueNAS.

1. Create a deploy script

On your external ACME host, create /usr/local/bin/truenas-deploy.sh:

Note: This script works only if TrueNAS allows SSH access with a user permitted to run midclt. It uploads the new key + cert to /tmp/ and replaces the active certificate through the TrueNAS API. Make sure your paths and domain match your acme.sh setup.

#!/bin/bash

DOMAIN="nas.example.com"
NAS_USER="root"
NAS_HOST="truenas.local"

CERT_PATH="$HOME/.acme.sh/$DOMAIN"
KEY="$CERT_PATH/$DOMAIN.key"
CERT="$CERT_PATH/fullchain.cer"

scp "$KEY" "$NAS_USER@$NAS_HOST:/tmp/key.key"
scp "$CERT" "$NAS_USER@$NAS_HOST:/tmp/cert.cer"

ssh "$NAS_USER@$NAS_HOST" <<EOF
midclt call certificate.update '{"certificate": "custom", "csr": null, "privatekey": "$(cat /tmp/key.key)", "certificate": "$(cat /tmp/cert.cer)"}'
EOF

Make it executable:

chmod +x /usr/local/bin/truenas-deploy.sh

2. Add a renewal hook

Add a deploy hook in acme.sh:

acme.sh --deploy-hook truenas-deploy \
  -d nas.example.com

Or add this inside ~/.acme.sh/deploy/truenas-deploy.sh.

3. Let acme.sh handle everything

Here’s what acme.sh does automatically:

  • Checks for renewals daily
  • Renews the certificate
  • Triggers your deploy script
  • Pushes updated certs into TrueNAS
  • Applies changes silently

Once configured, you don’t have to touch TrueNAS again for cert renewals.


Common Questions

If you’re setting up ACME automation on TrueNAS for the first time, these quick answers cover the issues users run into most often.

Can I use one certificate for both the TrueNAS GUI and other services (SMB, NFS, iSCSI portals)?

Yes. Once you import the certificate in System > Certificates, you can select the same cert for the web UI and for any service that exposes HTTPS (Web UI, API, maybe reverse proxy/HAProxy if you use it). You don’t need separate certificates per service unless you want different hostnames.

My NAS is behind CGNAT or double NAT. Can I still use ACME?

Yes, but you must use DNS-01 validation. HTTP-01 won’t work because the ACME server can’t reach your NAS over port 80. With DNS-01, the CA only checks your TXT record at _acme-challenge.yourdomain.com, so it doesn’t care where the NAS actually sits.

What happens if acme.sh renews the certificate but I forget to re-import it into TrueNAS?

TrueNAS will just keep using the old certificate you imported last time. The renewed files sit on your external host until you upload them again (or your script/API handles it).

Your site will still work, but eventually browsers will start warning about an expired cert. That’s why it’s worth either scripting the re-import or putting a reminder in place close to the expiry date.

Can I use a wildcard certificate (like *.example.com) with TrueNAS

Yes. As long as the private key and certificate match, TrueNAS doesn’t care if it’s a wildcard or single-host cert. You still have to issue the wildcard via DNS-01 in acme.sh, then import fullchain.cer + *.example.com.key into TrueNAS. Just be careful where you reuse that key. A wildcard cert gives full control over all subdomains it covers.


Final Words

This workflow gives you a stable, reliable way to install an ACME certificate on TrueNAS without fighting the system. Your external host handles issuing, renewing, and managing the certificate, while TrueNAS simply receives clean imports whenever the files are updated.

Once the process is in place, everything runs quietly in the background, and you only step in if you want to adjust scripts or rotate credentials.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.