Hello Friends,

I have a small ubuntu Server and I finally also want to transfer my Vaultwarden Instance to it. On this Server I have several services running (homeassistant, …) and Certbot via Dehydrated (right now I get a certificate for my duckdns address). In some directory I have the privkey and fullchain files.

Now my Problem is that when I start vaultwarden it wont load as https.

I believe, my Problem is telling Vaultwarden, where my certificate files are located so it can use them accordingly.

This is my Compose File right now:

  vaultwarden:
    container_name: vaultwarden
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - /home/vaultwarden:/data/
      - /home/(directory to my certificates):/usr/share/ca-certificates/
    ports:
      - 8129:80
    environment:
      - DOMAIN=https://hurrdurr.duckdns.org
      - LOGIN_RATELIMIT_MAX_BURST=10
      - LOGIN_RATELIMIT_SECONDS=60
      - ADMIN_RATELIMIT_MAX_BURST=10
      - ADMIN_RATELIMIT_SECONDS=60
      - ADMIN_TOKEN=token
      - SENDS_ALLOWED=true
      - EMERGENCY_ACCESS_ALLOWED=true
      - WEB_VAULT_ENABLED=true
      - SIGNUPS_ALLOWED=true

The Volume Mapping to the certificates was just me trying it out so maybe its working if I map it like that.

If I open the 8129 in my Browser it will just time out. I also managed it to start but it wouldnt let me register as theres not https certificate.

  • Giddy
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I use Nginx Proxy Manager to reverse proxy all my services including Vaultwarden -

    Setup in NPM -

    Open Nginx Proxy Manager Admin Portal
    Click Proxy Hosts
    Click Add Proxy Host
    Fill in the details
        Details tab
            Domain Names - vault.your.domain
            Scheme - http
            Forward Hostname/IP - vaultwarden (this should be the name of your vw container)
            Forward Port - 80
            Tick Block Common Exploits
            Tick Websockets Support
            Access List - Publicly Accessible
        Custom locations tab
            Add the following locations
                location 1
                    location - /notifications/hub
                    Scheme - http
                    Forward Hostname/IP - vaultwarden
                    Forward Port - 3012
                    Click the cog symbol and add the following to the textbox that appears
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_set_header X-Real-IP $remote_addr;
                location 2
                    location - /notifications/hub/negotiate
                    Scheme - http
                    Forward Hostname/IP - vaultwarden
                    Forward Port - 80
                    Click the cog symbol and add the following to the textbox that appears
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Proto $scheme;
                location 3
                    location - /
                    Scheme - http
                    Forward Hostname/IP - vaultwarden
                    Forward Port - 80
                    Click the cog symbol and add the following to the textbox that appears
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Proto $scheme;
        SSL tab
            SSL Certificate - Request a new SSL Certificate
            tick Use a DNS Challenge (or just expose port 80 if you accept the risk)
            DNS Provider - Dynu (this is my dyndns provider)
            Credentials File Content - replace YOUR_DYNU_AUTH_TOKEN with the API key from https://www.dynu.com/en-US/ControlPanel/APICredentials
            Email Address for Let's Encrypt - your email
            Tick I Agree to the Let's Encrypt Terms of Service
    Click Save
    Vaultwarden should now be accessible via https://vault.your.domain