search

bitwarden / self-host

Bitwarden's self-hosted release repository
GNU General Public License v3.0
307 stars 54 forks source link

Using certbot with DNS challenge #221

Closed Shayne-H closed 4 months ago

Shayne-H commented 4 months ago

I'm trying to setup a self-hosted version of Bitwarden using DNS challenge rather than the default HTTP.

The easiest route would be to invoke certbot and use the default directory /etc/letsencrypt/live/my.domain, then edit config.yml to point to custom certs in there.

Second to that would be still using certbot to create certs in that same directory, but then symlinking them to /opt/bitwarden/bwdata/ssl/my.domain and pointing config.yml to that.

I'm assuming that this is going to cause issues, because if I understand run.sh correctly, it's simply looking to see if the directory exists, then invokes certbot for an HTTP challenge, which would have issues.

function updateLetsEncrypt() {
    if [ -d "${OUTPUT_DIR}/letsencrypt/live" ]
    then
        docker pull certbot/certbot
        docker run -i --rm --name certbot -p 443:443 -p 80:80 \
            -v $OUTPUT_DIR/letsencrypt:/etc/letsencrypt/ certbot/certbot \
            renew --logs-dir /etc/letsencrypt/logs
    fi
}

I'm not sure how to best proceed:

  1. I could use a post-hook with certbot to copy the certs to a different directory, but they still exist in .../letsencrypt/live and would get hit during bitwarden updates.
  2. I could use a post-hook to move the certs, but that could cause issues with certbot for future renewals
  3. I could alter run.sh, but then it's just going to get updated and I don't want to have to do that every time.

Please let me know if there's an easy option that I'm missing, or what would be suggested to do this.

As for a suggestion, it would be nice to change the check in the function updateLetsEncrypt() and function forceUpdateLetsEncrypt() to reference config.yml for custom SSL certificates rather than using -d. I'm guessing there's a large enough base of folks who don't want to expose Bitwarden to the WAN for certificate renewal to make such a change worth considering.

sso-bitwarden commented 4 months ago

I would consider this as a feature request since it's not a bug/issue.

Looking at your solution, the best option for now should be #2. You will need to do a --pre-hook to copy the cert back to the proper directory before doing renewal.

Your issue appears to be describing the intended behavior of the software. If you want this to be changed, it would be a feature request.

We use GitHub issues as a place to track bugs and other development related issues. The Bitwarden Community Forums has a Feature Requests section for submitting, voting for, and discussing requests like this one: https://community.bitwarden.com/c/feature-requests/

Please sign up on our forums (https://community.bitwarden.com/signup) and search to see if this request already exists. If so, you can vote for it and contribute to any discussions about it. If not, you can re-create the request there so that it can be properly tracked.

This issue will now be closed.

Thanks!