Unable to get OPNsense Acme Cert upload to seperate HAProxy using SSH Automation

Started by bernieo, November 18, 2025, 04:52:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 18, 2025, 04:52:57 PM
Hi

It seems OPNsense 25x has changed many things.
I have a setup where OPNsense is a VM and HAProxy is also a VM.  I want OPNsense (on 10.10.20.10) to handle certificate requests via Cloudflare DNS-01 and then upload the certificate obtained to HAProxy on 10.10.20.20 using OPNsense ACME client's Automation workflow.
I would like to assign a user on OPNsense (with nologin if possible), say cert-bringer, who authenticates with its SSH key.

When I set this up by giving HAProxy cert-bringer's public key, I keep getting errors like this: Permission denied (publickey).

Do I need to create an OPNsense user for this to work?
If so, what access rights do I give that user?

If not, then how can I achieve this goal?

bernie
November 18, 2025, 11:19:23 PM #1
QuoteWhen I set this up by giving HAProxy cert-bringer's public key, I keep getting errors like this: Permission denied (publickey).
This sounds like OPN side is set so far and the error is given to the cert-bringer user by the remote host. The haproxy one.
So you need to configure sshd on that side.
Today at 12:24:42 PM #2
A couple of things come to mind.

First, the SSH authentication is happening from OPNsense to the HAProxy VM, so the user and authorized key need to exist on the HAProxy side. The error:

Permission denied (publickey)

usually means one of the following:

the public key isn't in the correct user's ~/.ssh/authorized_keys
wrong username is being used in the automation action
incorrect permissions on .ssh or authorized_keys
the private key configured in OPNsense doesn't match the public key on HAProxy
SSH is refusing the login because of the user's shell or account configuration

I'd start by testing manually from the OPNsense shell:

Code Select
ssh cert-bringer@10.10.20.20
using the same key that the ACME automation is configured to use. If that doesn't work manually, ACME won't work either.

As for the OPNsense side: you generally do not need a local OPNsense user named cert-bringer just to push certificates. The ACME plugin runs locally on OPNsense and can use a configured SSH key to authenticate to a remote system.

On the HAProxy VM, a setup like this is common:

Code Select
useradd -m cert-bringer
mkdir /home/cert-bringer/.ssh
chmod 700 /home/cert-bringer/.ssh
Then place the public key in:

Code Select
/home/cert-bringer/.ssh/authorized_keys
and set:

Code Select
chmod 600 authorized_keys
chown -R cert-bringer:cert-bringer /home/cert-bringer/.ssh
One other thing to check: if you've given the account a shell like /usr/sbin/nologin, OpenSSH may reject the session depending on how the automation executes commands. For troubleshooting, temporarily give it a normal shell (e.g. /bin/bash), verify key authentication works, then tighten things down afterward.

Could you post the exact ACME automation method you're using (Secure Copy, SSH command, HAProxy deploy script, etc.) and the full SSH error from the ACME log? That would make it much easier to pinpoint where the failure is occurring.
Business owner and tech enthusiast. Interested in automation, software integrations, and workflow optimization. Regularly exploring solutions like integrate hris to streamline business processes and reduce manual work.
Today at 12:43:10 PM #3 Last Edit: Today at 01:26:30 PM by keeka
It's also worth checking that the relevant known_hosts file (/var/etc/acme-client/sftp-config/known_hosts) is correct. IIRC this is done for you first time you test the ssh upload automation via the OPNsense web UI. If something subsequently changed on the remote side, you may need to delete the entry (in that file) and retest via the GUI or manually run ssh.
Print
Go Up Pages1
User actions