bitwarden.ext

[mg64ve]

Thanks for sharing your work. Just a question: what is the following section in data/ssl/bitwarden.ext ?

[alt_names]
DNS.1 = bitwarden.local
DNS.2 = www.bitwarden.local

Do I need to change these DNS names?

[JulianRunnels]

Hi, yes you will need to adjust those names to match the FQDN of the instance you would like to stand up. The SSL script I creates create_ssl.sh does this automatically, but you can adjust the values manually if you would like. Specifically that file is used later in the script to output the .crt file that will be used to add custom SSL encryption.

openssl x509 -req -in bitwarden.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out bitwarden.crt -days 365 -sha256 -extfile ./data/ssl/bitwarden.ext

If you have your own method of generating .crt files to load in, then you do not need to adjust the values shown here.

[mg64ve]

Thanks @JulianRunnels , I see. I am now having a new issue. From Android I can connect to my self hosted bitwarden server with the browser, but I can't with Android App. It says it can't find the certificate, but I have installed it. Are you aware of this issue?

[JulianRunnels]

It looks like Android may have updated it's CA installation process. You need to make sure you install the certificate authority file, myCA.crt, not the Bitwarden.crt file.

Follow the steps outlined here: https://httptoolkit.tech/blog/android-11-trust-ca-certificates/

In Android 11, to install a CA certificate, users need to manually:

Open settings Go to 'Security' Go to 'Encryption & Credentials' Go to 'Install from storage' Select 'CA Certificate' from the list of types available Accept a large scary warning Browse to the certificate file on the device and open it Confirm the certificate install

[mg64ve]

Thanks @JulianRunnels for your reply. I have Android 10 and myCA.crt is installed with the procedure you described. Unfortunately when I am trying to login I am getting a java.security.cert.CertPathValidatorException error: Trust anchor for certification path not found.

Any idea what could cause that?

[JulianRunnels]

Sounds like perhaps you did not put the correct hostname in the common name/SAN part for the cert creation. Would recommend reading through this guide for SSL cert creation: https://jamielinux.com/docs/openssl-certificate-authority/index.html

[JulianRunnels]

@mg64ve I have merged in some updates to the SSL creation based on issues i found with IOS 14 cert not working anymore. This might fix your issue? I would recommend pulling latest version and rebuilding the certs