u/LovitzG

Expired Certificate cannot be deleted?

I had certificates expiring because I accidentally misconfigured Caddy. I had unexpired certificates that Caddy was not using. I properly configured Caddy to NOT get certificates, turned off the service, manually deleted the certs out of the Caddy store, restarted Caddy, and Caddy imported the correct/valid certs from my local store. I don't know if this will again be an issue if those certs expire or why if Caddy is not configured to get it's own certificates it does not default to just using the certs in the local store.

Checking my certificates I found I have an expired R12 (ACME Client) certificate for a DDNS service that I cannot delete (it has been replaced). When I try, I get the message:
Item in use by

general - {OPNsense.postfix.general}

The actual certificate is not on the system anywhere. Both certs have the same certificate and private key info. The expired cert is using CN=R12 while the new cert shows CN=YR1. Only the new cert is shown in my Services: ACME Client: Certificates while both are shown in but it is in my System: Trust: Certificates. I have a feeling the delete fails because it can't find what it supposed to delete.

The only entry I can find is that corresponds to the expired cert is in my /conf/config.xml file where all my certs are in the order displayed. in the trust listing. To clean this up do I just need to download my config file, edit out the bad cert, and re-upload it?

Related question is that under System: Trust: Authorities I show R10, R11, and R12 (ACME Client) from Let's Encrypt all with 0 usage. Can I simply delete these older unused trust authorities once I clean up my zombie cert issued under R12?

reddit.com
u/LovitzG — 1 day ago

Certificate Authority after Upgrade to 25.10.4 - Goldeye

I had a previous question about expired default certificate. I originally installed my own CA and Let's Encrypt Certificate generated in OPNSense via ACME and both were imported. Upon upgrade to 25.10.4 my CA shows up under certificates as "MIGRATED_CA..."

If I need to add another generated certificate from OPNSense, how does that work now? Importing a new certificate simply asks for a Name, Certificate, and Private Key. If generated in OPNSense using my internal CA that is now shown as MIGRATED_CA will that still work?

reddit.com
u/LovitzG — 1 day ago

Certificate 'truenas_default' is expiring within 1 days

I get the follwing warning in my TrueNAS Alerts:

Warning

Certificate 'truenas_default' is expiring within 1 days.

2026-07-03 12:00:10 AM (America/Chicago)

The above cert is the IXI provided cert from installation. I run OPNSense and generated a Let's Encrypt local lan certificate using acme, create the CA in TrueNAS, and imported the certificate. My is selected from the https configuration pull-down and works fine and will not expire until: 2045-07-11

Is there a way to update or renew the default certificate to prevent constant warning messages? Can I rename the expiring cert, create a new one, and delete the original? Is it safe to just delete the IXI provided truenas_default certificate?

Are there any CLI command to perform accomplish this with openssl?

reddit.com
u/LovitzG — 1 day ago