Closed Shayne-H closed 4 months ago
I would consider this as a feature request since it's not a bug/issue.
Looking at your solution, the best option for now should be #2. You will need to do a --pre-hook to copy the cert back to the proper directory before doing renewal.
Your issue appears to be describing the intended behavior of the software. If you want this to be changed, it would be a feature request.
We use GitHub issues as a place to track bugs and other development related issues. The Bitwarden Community Forums has a Feature Requests section for submitting, voting for, and discussing requests like this one: https://community.bitwarden.com/c/feature-requests/
Please sign up on our forums (https://community.bitwarden.com/signup) and search to see if this request already exists. If so, you can vote for it and contribute to any discussions about it. If not, you can re-create the request there so that it can be properly tracked.
This issue will now be closed.
Thanks!
I'm trying to setup a self-hosted version of Bitwarden using DNS challenge rather than the default HTTP.
The easiest route would be to invoke certbot and use the default directory
/etc/letsencrypt/live/my.domain
, then editconfig.yml
to point to custom certs in there.Second to that would be still using certbot to create certs in that same directory, but then symlinking them to
/opt/bitwarden/bwdata/ssl/my.domain
and pointingconfig.yml
to that.I'm assuming that this is going to cause issues, because if I understand
run.sh
correctly, it's simply looking to see if the directory exists, then invokes certbot for an HTTP challenge, which would have issues.I'm not sure how to best proceed:
post-hook
with certbot to copy the certs to a different directory, but they still exist in.../letsencrypt/live
and would get hit during bitwarden updates.post-hook
to move the certs, but that could cause issues with certbot for future renewalsrun.sh
, but then it's just going to get updated and I don't want to have to do that every time.Please let me know if there's an easy option that I'm missing, or what would be suggested to do this.
As for a suggestion, it would be nice to change the check in the
function updateLetsEncrypt()
andfunction forceUpdateLetsEncrypt()
to referenceconfig.yml
for custom SSL certificates rather than using-d
. I'm guessing there's a large enough base of folks who don't want to expose Bitwarden to the WAN for certificate renewal to make such a change worth considering.