Acme Certs are Not Renewing
-
I am running:
25.11-BETA (amd64)
built on Tue Oct 28 11:38:00 PDT 2025
FreeBSD 16.0-CURRENTI started receiving errors each night that my Acme certs are failing to renew. I have had this setup for several years without issue. I tried doing a manual renew and a cert is generated but there appears to be an error at the end related to reloadcmd.sh
[Sun Nov 9 11:15:36 PST 2025] Your cert is in: /.acme.sh/xxxx.com/xxxx.com.cer
[Sun Nov 9 11:15:36 PST 2025] Your cert key is in: /.acme.sh/xxxx.com/xxxx.com.key
[Sun Nov 9 11:15:36 PST 2025] The intermediate CA cert is in: /.acme.sh/xxxx.com/ca.cer
[Sun Nov 9 11:15:36 PST 2025] And the full-chain cert is in: /.acme.sh/xxxx.com/fullchain.cer
[Sun Nov 9 11:15:36 PST 2025] Your pre-generated key for future cert key changes is in: /.acme.sh/xxxxx.com/xxxx.com.key.next
[Sun Nov 9 11:15:37 PST 2025] Running reload cmd: reloadcmd.sh
eval: reloadcmd.sh: not found
[Sun Nov 9 11:15:37 PST 2025] Reload error for: xxxx.comIs anyone else experiencing anything like this with the beta?
Netgate 6100 MAX
-
The problem is hiding in plain sight :
@cwagz said in Acme Certs are Not Renewing:
eval: reloadcmd.sh: not found
This file is created just before "acme.sh" is executed, and you can find it here :
/tmp/acme/[YOUR_CERT_NAME]/In that same folder you'll find also the "acme_issuecert.log" file with far more details.
If, for some reason, /tmp/acme/[YOUR_CERT_NAME]/ doesn't exist, then you've found your problem.
It should exist, as the cert renewal worked fine ....
Strange it could create that one single "reloadcmd.sh" file.
This file is the one that gets all the cert details and integrated them in the pfSense System > Certificates > Certificates store.The /tmp/ is always emptied during a system 'pfSense' (re)boot, but the acme.sh package will repopulate it with all the needed files before it executes acme.sh.
-
This will be fixed in the next public build, thanks!
-
@cwagz I am seeing the same thing. The renewal processes up to the reloadcmd.sh.
-
@marcosm Thanks for the update. Here is hoping the next build comes out before my certs expire in less than 20 days.
Worst case scenario, I'll revert to 25.07.01 and see if I can renew.
-
Try this :
The file missing, /tmp/acme/Your-Domaine-name/reload.sh :/usr/local/pkg/acme/acme_command.sh importcert "Your-Domaine-name" "domaine.name" "/tmp/acme/Your-Domaine-name/domaine.name/domaine.name.key" "/tmp/acme/Your-Domaine-name/domaine.name/domaine.name.cer" "/tmp/acme/Your-Domaine-name/domaine.name/ca.cer" "/tmp/acme/Your-Domaine-name/domaine.name/fullchain.cer"
Where :
This command imports the obtained files (certificates) into the pfSense GUI cert store.
This file isn't part of the package, it's auto generated with the GUI settings.
Suggestion :
Create this file in the root folder.
Use the Services: Shellcmd Settings command (install the Shellcmd pfSense package), select Shell command or early shell command and copy the file from root to /tmp/acme/Your-Domaine-name/reload.shcp /root/reload.sh /tmp/acme/Your-Domaine-name/reload.sh
Be carefull : during boot, /tmp/ is probably empty.
So you have to create /acme/ folder first, and then the /Your-Domaine-name/ folder before the actual copy command. I leave it up to you to create a nice one liner ^^Normally, when the acme.sh package gets updated, and restored to normal, the file you copied during boot will just be created / overwritten with the correct info.
Just keep in mind that you probably can / have to remove this temporary shell command in the future.
A post-it ?
