ACME-Automation Copy Certificate to Host via SFTP - Howto?

[PotatoCarl]

Hi
I could get the acme plugin up and running (this is BTW exactly what I was trying to acomplish for some time, but misunderstood the intention of the plugin...). HOWEVER, I try to automatize sending the certificate via SFTP to the host.

There is no password or key to be entered in the automation fields, only a user name. When I try it, I get "host does not allow access with this user name" (well, it needs a certificate or a password, DUH!).
I am misunderstanding here how that works? How can I get to transfer the certificate automatically? Do I have to setup the host in a special way?
Thanks.

[abulafia]

The ACME plugin sftp automation only permits certificate-based login, not password-based. So you need to set up a ssh certificate login at your target box (guides are available via google).

Attention: The ssh certificate/key you need it not the general OPNsense ssh one, but the specific one for the ACME plugin, found at  /var/etc/acme-client/sftp-config/id.rsa.pub (thanks to https://forum.opnsense.org/index.php?topic=20437.0!).

[PotatoCarl]

Okay (actually a LINK on the  help page would be EXTREMELY helpful), I have to login to the command line and use the public key, correct?

I prefer to stay in one context, e.g. in the webinterface (I like the webinterface...)

Thank you.

[PotatoCarl]

I just tried it, works perfectly, thanks a bunch!

Unreleated, or half-releated: It is the "fullchain" and the "CA" exported. I am trying to setup a reverse proxy with NGINX with Rocket.Chat. With any browser it works, but the Android app sais "trust anchor not found". Is that an android problem or do I need to "display" the fullchain.pem somehow, as I cannot find the right option to get this file "displayed"?

[abulafia]

Just guessing: old android version? Then it likely doesn't know the new letsencrypt root certificate

[PotatoCarl]

Well Android 8.1.1 is not exactly old, but yes, it is not 11. However, with Android 11 it does not work either.
Finally, I found the problem and instead of using the "cert" file, I use "fullchain.pem" and then it works well with rocket.chat app.