Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Sistally

#1
A couple of things come to mind.

First, the SSH authentication is happening from OPNsense to the HAProxy VM, so the user and authorized key need to exist on the HAProxy side. The error:

Permission denied (publickey)

usually means one of the following:

the public key isn't in the correct user's ~/.ssh/authorized_keys
wrong username is being used in the automation action
incorrect permissions on .ssh or authorized_keys
the private key configured in OPNsense doesn't match the public key on HAProxy
SSH is refusing the login because of the user's shell or account configuration

I'd start by testing manually from the OPNsense shell:

ssh cert-bringer@10.10.20.20
using the same key that the ACME automation is configured to use. If that doesn't work manually, ACME won't work either.

As for the OPNsense side: you generally do not need a local OPNsense user named cert-bringer just to push certificates. The ACME plugin runs locally on OPNsense and can use a configured SSH key to authenticate to a remote system.

On the HAProxy VM, a setup like this is common:

useradd -m cert-bringer
mkdir /home/cert-bringer/.ssh
chmod 700 /home/cert-bringer/.ssh

Then place the public key in:

/home/cert-bringer/.ssh/authorized_keys
and set:

chmod 600 authorized_keys
chown -R cert-bringer:cert-bringer /home/cert-bringer/.ssh

One other thing to check: if you've given the account a shell like /usr/sbin/nologin, OpenSSH may reject the session depending on how the automation executes commands. For troubleshooting, temporarily give it a normal shell (e.g. /bin/bash), verify key authentication works, then tighten things down afterward.

Could you post the exact ACME automation method you're using (Secure Copy, SSH command, HAProxy deploy script, etc.) and the full SSH error from the ACME log? That would make it much easier to pinpoint where the failure is occurring.
#2
Hey Rockyuk,

Yeah, I've seen a few people mention similar issues after the update. It seems like something in the new version may have affected how the video streams are handled over certain network configurations, especially with mesh setups.

You could try a couple of things:

Clear your browser or app cache if you're viewing through a web interface or mobile app.

Check if the mesh system has any recent firmware updates — sometimes compatibility issues arise after system updates.

If possible, test direct connection (bypassing the mesh) to confirm whether it's definitely related to the network layer.

If none of that helps, it might be worth rolling back temporarily or reporting the bug on the project's issue tracker so the devs can address it in the next patch.
#3
Quote from: Baender on August 01, 2024, 08:22:29 AMPersonally, I like the ability to get in touch with others on a topic and get help quickly. As a Discord user, however, this relates more to the areas of operating systems, gaming and AI. When it comes to network technology or IT security topics, I see it differently. Discord has a fast pace that is due to the generations that follow me. Everything always has to happen quickly. Reading half a DIN A4 page is already too long for them. In some cases, because their concentration is already diminished. It should be clear that OPNsense and other topics are not easy, even if you can find a lot of help on the Internet. It's not something that can be dealt with quickly via a yes/no chat.

I would therefore be particularly interested to know why there needs to be a Discord. In your experience, what are the questions that are increasingly asked there? Which can apparently be answered there in chat? I would like to include them here in the forum. In case it turns out that they are recurring questions and are not yet dealt with here. In this respect, you could take up the need from there here. I don't want to go into threads in Discord, because we already have the forum character here. So it shouldn't be too difficult for someone from Discord who opens a thread there to open one here.
You raise some valid points, especially regarding the depth and complexity of topics like OPNsense, networking, and IT security. These areas often require structured, detailed discussion — something that forums like this are much better suited for than fast-paced chat environments.

That said, I think Discord serves a different, more immediate purpose. From my experience, the types of questions asked there tend to fall into a few categories:

Quick clarifications (e.g., "Where's the option to enable XYZ in the GUI?")

Troubleshooting real-time issues ("Why isn't my firewall rule taking effect?")

Basic getting-started help for new users who might be intimidated by the documentation

Sharing updates or community tools/plugins that don't yet warrant a full forum post

While Discord isn't ideal for long-term knowledge retention, it does offer a low-friction way for newcomers to engage — and sometimes that quick answer in real time can make a big difference in whether someone sticks with a project or gives up.

I fully agree that if there are recurring questions or knowledge gaps showing up in Discord, they should absolutely be reflected here in the forum too. Maybe even a dedicated thread that regularly summarizes "frequently asked in Discord" topics could bridge that gap and help strengthen both communities.

Thanks for opening this discussion — I think both spaces have their place, but with a bit of coordination, they can complement each other much better.