Hi
I'm trying to set up OPNsense to request and manage renewals of SSL certs. The server should work together with a separate HAProxy server, which should handle the receipt of cert uploads for client machines.
My problem is I can't seem to get certificate (.PEM) files to upload successfully from OPNsense using remote SFTP/SSH.
Using a small script:
mkdir -p /root/testcert
cd /root/testcert
# Self-signed test cert (doesn't matter what it is)
openssl req -x509 -nodes -newkey rsa:2048 \
-keyout test.key \
-out test.crt \
-subj "/CN=mydomain.com" \
-days 1
cat test.crt test.key > test.pem
Now push it to HAProxy:
cat /root/testcert/test.pem | \
ssh -i /var/etc/acme-client/sftp-config/id.ed25519 \
-p 22 \
acme-certpusher@192.168.99.252 \
"mydomain.com"
The 2 errors I keep getting are:
1. bash: line 1: mydomain.com: command not found
2. It seems OPNsense ACME automation (type "SSH remote command") does not pipe any certificate data so I end up with:
Nov 21 12:54:36 mydomain acme-certpush[142212]: Fri Nov 21 12:54:36 GMT 2025 Starting certpush for domain/command: mydomain.com
Nov 21 12:54:36 mydomain acme-certpush[142220]: PEM missing certificate block
The indication is that I'm not getting the fullchain.pem, which is supposed to end up in /etc/haproxy/certs/domainx/.
On checking OPNsense, I can see the fullchain.cer, the mydomaain.com/cer .csr & .key , sitting in /var/etc/acme-client/cert-home/12345678901112.84768251/mydomain.com
Can anyone tell me if this plan, of running separate HAProxy instead of HAProxy running on OPNsense, will work?