A couple of things come to mind.
First, the SSH authentication is happening from OPNsense to the HAProxy VM, so the user and authorized key need to exist on the HAProxy side. The error:
Permission denied (publickey)
usually means one of the following:
the public key isn't in the correct user's ~/.ssh/authorized_keys
wrong username is being used in the automation action
incorrect permissions on .ssh or authorized_keys
the private key configured in OPNsense doesn't match the public key on HAProxy
SSH is refusing the login because of the user's shell or account configuration
I'd start by testing manually from the OPNsense shell:
using the same key that the ACME automation is configured to use. If that doesn't work manually, ACME won't work either.
As for the OPNsense side: you generally do not need a local OPNsense user named cert-bringer just to push certificates. The ACME plugin runs locally on OPNsense and can use a configured SSH key to authenticate to a remote system.
On the HAProxy VM, a setup like this is common:
Then place the public key in:
One other thing to check: if you've given the account a shell like /usr/sbin/nologin, OpenSSH may reject the session depending on how the automation executes commands. For troubleshooting, temporarily give it a normal shell (e.g. /bin/bash), verify key authentication works, then tighten things down afterward.
Could you post the exact ACME automation method you're using (Secure Copy, SSH command, HAProxy deploy script, etc.) and the full SSH error from the ACME log? That would make it much easier to pinpoint where the failure is occurring.
First, the SSH authentication is happening from OPNsense to the HAProxy VM, so the user and authorized key need to exist on the HAProxy side. The error:
Permission denied (publickey)
usually means one of the following:
the public key isn't in the correct user's ~/.ssh/authorized_keys
wrong username is being used in the automation action
incorrect permissions on .ssh or authorized_keys
the private key configured in OPNsense doesn't match the public key on HAProxy
SSH is refusing the login because of the user's shell or account configuration
I'd start by testing manually from the OPNsense shell:
Code Select
ssh cert-bringer@10.10.20.20using the same key that the ACME automation is configured to use. If that doesn't work manually, ACME won't work either.
As for the OPNsense side: you generally do not need a local OPNsense user named cert-bringer just to push certificates. The ACME plugin runs locally on OPNsense and can use a configured SSH key to authenticate to a remote system.
On the HAProxy VM, a setup like this is common:
Code Select
useradd -m cert-bringer
mkdir /home/cert-bringer/.ssh
chmod 700 /home/cert-bringer/.sshThen place the public key in:
Code Select
/home/cert-bringer/.ssh/authorized_keys
and set:Code Select
chmod 600 authorized_keys
chown -R cert-bringer:cert-bringer /home/cert-bringer/.sshOne other thing to check: if you've given the account a shell like /usr/sbin/nologin, OpenSSH may reject the session depending on how the automation executes commands. For troubleshooting, temporarily give it a normal shell (e.g. /bin/bash), verify key authentication works, then tighten things down afterward.
Could you post the exact ACME automation method you're using (Secure Copy, SSH command, HAProxy deploy script, etc.) and the full SSH error from the ACME log? That would make it much easier to pinpoint where the failure is occurring.
"