OPNSense VM to manage ACME/LE/ZeroSSl certs with a seperate HAProxy VM

[bernieo]

Hi
I'm trying to set up OPNsense to request and manage renewals of SSL certs.  The server should work together with a separate HAProxy server, which should handle the receipt of cert uploads for client machines.
My problem is I can't seem to get certificate (.PEM) files to upload successfully from OPNsense using remote SFTP/SSH.

Using a small script:

Code Select Expand

mkdir -p /root/testcert
cd /root/testcert

# Self-signed test cert (doesn't matter what it is)
openssl req -x509 -nodes -newkey rsa:2048 \
  -keyout test.key \
  -out test.crt \
  -subj "/CN=mydomain.com" \
  -days 1

cat test.crt test.key > test.pem

Now push it to HAProxy:

Code Select Expand

cat /root/testcert/test.pem | \
  ssh -i /var/etc/acme-client/sftp-config/id.ed25519 \
      -p 22 \
      acme-certpusher@192.168.99.252 \
      "mydomain.com"




The 2 errors I keep getting are:

1. bash: line 1: mydomain.com: command not found

2. It seems OPNsense ACME automation (type "SSH remote command") does not pipe any certificate data so I end up with:

Code Select Expand

Nov 21 12:54:36 mydomain acme-certpush[142212]: Fri Nov 21 12:54:36 GMT 2025 Starting certpush for domain/command: mydomain.com
Nov 21 12:54:36 mydomain acme-certpush[142220]: PEM missing certificate block
The indication is that I'm not getting the fullchain.pem, which is supposed to end up in /etc/haproxy/certs/domainx/.
On checking OPNsense, I can see the fullchain.cer, the mydomaain.com/cer .csr & .key , sitting in /var/etc/acme-client/cert-home/12345678901112.84768251/mydomain.com

Can anyone tell me if this plan, of running separate HAProxy instead of HAProxy running on OPNsense, will work?