JulianRunnels
commented
3 years ago Did you save the created myCA.crt file in your Trusted Root Certificates in Windows?
Closed svandoe closed 3 years ago
JulianRunnels
commented
3 years ago Did you save the created myCA.crt file in your Trusted Root Certificates in Windows?
svandoe
commented
3 years ago I didn't manually transfer the myCA.crt file but when I opened bitwarden with HTTPS it allowed me to click on the warning and it looked like my cert was there under the common name I gave it during set up so I did not try anything further. After reviewing the the ssl directory that name is not anywhere to be found. I also found the topic of private keys on the Bitwardenrs git hub that mentioned that for chrome to work properly requires the domain name in the alternate name field. I have tried both the IP address as well as bitwarden.local(saw this in one of the config files.
JulianRunnels
commented
3 years ago Ah okay so how SSL certificates work is when you created the custom certificate for your instance, it was created under the custom Certificate Authority (CA) that you created. Normally your computer already trusts most CAs (LetsEncrypt, Sectigo, etc) but for this project you are basically acting as your own root CA. So in order for your browser to trust the certificate, you need to load the Root CA you created into Windows Trusted Root Store. Please download the myCA.crt file to your Windows machine and follow the steps here: https://windowsreport.com/install-windows-10-root-certificates/ to install it.
svandoe
commented
3 years ago Thanks for the input. Cert installed ok but I can access bitwarden on http but still not on HTTPS. I also adjusted the docker-compose file where you had Expose:
JulianRunnels
commented
3 years ago Yes that would probably cause some issues. So the expose 80 doesn't actually run anything on your host machine on 80, that just tells that container to have port 80 open on the container itself. The reason for that is that the nginx reverse proxy needs to send packets to the bitwarden container. If you have something on port 80 that is fine, can just remove the Nginx container listening on port 80 and have it run https on 443 only.
Under the Bitwarden container, return the expose back to "80" then remove the 80:80 on the Nginx ports section. This will mean that your container should only be accessible via port 443 (i.e. HTTPS)
To help troubleshoot, please post your full docker-compose.yml file, as well as the output from docker-compose up -d, or whatever command was used to start up the containers. Also please note that this repo was designed for Linux only, so the Docker Compose file has Linux files paths. You will need to adjust them to work on Windows, which may be causing the issue.
svandoe
commented
3 years ago This is the latest docker-compose file that I have been trying. I did use yours unchanged once and everything seemed to work, but I didn't have the cert installed then. I am on a raspberry PI 3 which is ARM7. I don't think that has been causing problems. I just went back to expose: "80" and here is the docker-compose up output for that version. The .yml file below is prior to that.
bitwarden_self_host_nginx_1 is up-to-date Recreating bitwarden_self_host_bitwarden_1 ... done Recreating bw_backup ... done
`version: '3'
services: bitwarden: image: bitwardenrs/server:latest #swap tag to raspberry to run on a raspberry pi ports:
./data/bitwarden:/data restart: on-failure environment: WEBSOCKET_ENABLED: 'true'
nginx: image: nginx:1.15-alpine ports:
./data/ssl:/etc/ssl
bw_backup: image: bruceforce/bw_backup:latest #swap tag to rpi3 to run on a raspberry pi conainer_name: bw_backup restart: on-failure depends_on:
svandoe
commented
3 years ago I deleted everything and tried again. Here's the docker-compose.yml file. Still can't get my cert to work. Container's are all running with only this message on nginx that does not feel very critical: 192.168.0.20 - - [22/Feb/2021:02:51:56 +0000] "GET /fonts/Open_Sans-normal-600.woff HTTP/1.1" 200 57632 "https://192.168.0.23/app/main.c9c57acc9b845fdb9052.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36"
192.168.0.20 is the ip address of my window's machine that I'm using to SSH into Pi
`version: '3'
services: bitwarden: image: bitwardenrs/server:latest #swap tag to raspberry to run on a raspberry pi expose:
./data/bitwarden:/data restart: on-failure environment: WEBSOCKET_ENABLED: 'true'
nginx: image: nginx:1.15-alpine ports:
./data/ssl:/etc/ssl
bw_backup: image: bruceforce/bw_backup:latest #swap tag to rpi3 to run on a raspberry pi container_name: bw_backup restart: on-failure depends_on:
#- /etc/localtime:/etc/localtime:ro
# uncomment this if you want your backup to be written to ./data/bitwarden folder"Unfortunately I am not really able to help with cert issues. I have just pushed another change that might help resolve issues with Chrome in issue #8. Recreation of the cert may fix the issue now.
If that doesn't work, I would suggest reading through this article and potentially creating your own custom certs: https://github.com/dani-garcia/bitwarden_rs/wiki/Private-CA-and-self-signed-certs-that-work-with-Chrome.
Otherwise if you would like to setup certificates with LetsEncrypt, there is an article that would let you do that, which would mean the cert would work on any device: https://github.com/dani-garcia/bitwarden_rs/wiki/Running-a-private-bitwarden_rs-instance-with-Let%27s-Encrypt-certs
I succeeded in following your method to get bitwarden up and running all the containers are running successfully but when I open my local bitwarden it is not accepting my cert. Any ideas what might be wrong?