security/acme-client: automation for uploading to TrueNAS server fails to locate certificate

[tmacphail]

• [ ✅] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [ ✅] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [ ✅] The title contains the plugin to which this issue belongs

Describe the bug

After successfully renewing a cert, the automation to deploy to truenas fails with this error:

[Fri Feb 21 00:01:15 PST 2025] Cannot find path: '/var/etc/acme-client/cert-home/xxxxxxxxxxxxxx.yyyyyyyy/domain'
2025-02-21T00:01:15-08:00 acme.sh [Fri Feb 21 00:01:15 PST 2025] The domain 'domain' is not a cert name. You must use the cert name to specify the cert to install.

To Reproduce
Steps to reproduce the behavior:

1. Setup an automation to deploy to truenas (valid credentials may not be required as I believe the error occurs before communication with truenas)
2. Associate the automation with a certificate
3. Run automations or renew certificate causing automations to run
4. See error

Expected behavior
Certificate should be deployed

Screenshots
None

Relevant log files
ACME Client: Log Files: System Log:

AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --deploy --syslog 7 --debug --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/xxxxxxxxxxxxxx.yyyyyyyy' --certpath '/var/etc/acme-client/certs/xxxxxxxxxxxxxx.yyyyyyyy/cert.pem' --keypath '/var/etc/acme-client/keys/xxxxxxxxxxxxxx.yyyyyyyy/private.key' --capath '/var/etc/acme-client/certs/xxxxxxxxxxxxxx.yyyyyyyy/chain.pem' --fullchainpath '/var/etc/acme-client/certs/xxxxxxxxxxxxxx.yyyyyyyy/fullchain.pem' --domain 'domain' --deploy-hook truenas --insecure'

ACME Log:

2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] Cert success.
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] Your cert is in: /var/etc/acme-client/home/domain/domain.cer
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] Your cert key is in: /var/etc/acme-client/home/domain/domain.key
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] The intermediate CA cert is in: /var/etc/acme-client/home/domain/ca.cer
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] And the full-chain cert is in: /var/etc/acme-client/home/domain/fullchain.cer
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] Installing cert to: /var/etc/acme-client/certs/xxxxxxxxxxxxxx.yyyyyyyy/cert.pem
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] Installing CA to: /var/etc/acme-client/certs/xxxxxxxxxxxxxx.yyyyyyyy/chain.pem
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] Installing key to: /var/etc/acme-client/keys/xxxxxxxxxxxxxx.yyyyyyyy/private.key
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] Installing full chain to: /var/etc/acme-client/certs/xxxxxxxxxxxxxx.yyyyyyyy/fullchain.pem
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] _on_issue_success
2025-02-21T00:01:13-08:00 acme.sh [Fri Feb 21 00:01:13 PST 2025] The NOTIFY_HOOK is empty, will just return.
2025-02-21T00:01:15-08:00 acme.sh [Fri Feb 21 00:01:15 PST 2025] Using server: https://acme-v02.api.letsencrypt.org/directory
2025-02-21T00:01:15-08:00 acme.sh [Fri Feb 21 00:01:15 PST 2025] Running cmd: deploy
2025-02-21T00:01:15-08:00 acme.sh [Fri Feb 21 00:01:15 PST 2025] Using config home: /var/etc/acme-client/home
2025-02-21T00:01:15-08:00 acme.sh [Fri Feb 21 00:01:15 PST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
2025-02-21T00:01:15-08:00 acme.sh [Fri Feb 21 00:01:15 PST 2025] DOMAIN_PATH='/var/etc/acme-client/cert-home/xxxxxxxxxxxxxx.yyyyyyyy/domain'
2025-02-21T00:01:15-08:00 acme.sh [Fri Feb 21 00:01:15 PST 2025] The domain 'domain' is not a cert name. You must use the cert name to specify the cert to install.
2025-02-21T00:01:15-08:00 acme.sh [Fri Feb 21 00:01:15 PST 2025] Cannot find path: '/var/etc/acme-client/cert-home/xxxxxxxxxxxxxx.yyyyyyyy/domain'

Additional context
xxxxxxxxxxxxxx.yyyyyyyy: Censored value in case it was private or just a temp value. (It was a bunch of letters and numbers)

I believe the issue relates to the --cert-home argument being passed to acme.sh combined with --domain. It appears to be looking for a domain subdirectory underneath the cert-home. But logs show the certificate was installed to that xxxxxxxxxxxxxx.yyyyyyyy directory directly during the renew process and no subdirectory was created. Though that directory seems temporary as it isn't present anymore when I look after the failure.
One possible solution may be to have --cert-home set one directory higher and --domain be xxxxxxxxxxxxxx.yyyyyyyy

Alternatively, aside from the 'installed', certs shown in the log, it also says the cert is in /var/etc/acme-client/home/domain
In which case, this command would also work to install the cert:

/usr/local/sbin/acme.sh --deploy --syslog 7 --debug --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/home/' --certpath '/var/etc/acme-client/home/domain/domain.cer' --keypath '/var/etc/acme-client/home/domain/domain.key' --capath '/var/etc/acme-client/home/domain/ca.cer' --fullchainpath '/var/etc/acme-client/home/domain/fullchain.cer' --domain 'domain' --deploy-hook truenas --insecure

Environment
ACME Client plugin version: 4.7
opnsense: 24.7.12_4

[fraenki]

I cannot reproduce this (on OPNsense 25.1). Please re-run just the automation and provide the full ACME Log for this run.

Furthermore, please provide the output of the following commands:

grep 'AcmeClient version' /conf/config.xml

ls -l /var/etc/acme-client/cert-home/xxxxxxxxxxxxxx.yyyyyyyy

ls -l /var/etc/acme-client/cert-home/xxxxxxxxxxxxxx.yyyyyyyy/domain