Greetings Bitwarden Community,
I’m configuring a self-hosted Bitwarden Lite instance using Docker Compose and I’m having issues configuring mTLS. From what I can see on the Bitwarden Lite documentation, https://bitwarden.com/help/install-and-deploy-lite/, it should be a case of setting BW_ENABLE_SSL_CA=true and depositing my CA certificate in the BW_SSL_CA_CERT location, which is defaulted to /etc/bitwarden/ca.crt. With this configuration, when I launch the Docker Compose, there are no warnings or error messages, indicating the instance has launched and is running successfully. However, when I access the website on desktop, iOS and Android, I am not prompted for a client certificate to verify authentication to the server. In fact, I can even log in through the iOS and Android apps without providing client certificates. From what I can see, the Bitwarden iOS app still has mTLS in development, so I’m certain that client certificates are not being asked for by the server.
From what I can see in the self-host repository, the bitwarden-lite/hbs/nginx-config.hbs file has a section that checks if the BW_ENABLE_SSL_CA environment variable is set to true, and then sets the ssl_trusted_certificate to the provided BW_SSL_CA_CERT environment variable, defaulting to /etc/bitwarden/ca.crt if no variable is provided. This leads me to believe mTLS does in fact work on Bitwarden Lite with the environment variables discussed, but for some reason my instance is not using them in nginx.
There are no messages in the Docker Compose logs or in the /etc/bitwarden/logs/ log files that indicate mTLS has failed to find or use the CA certificate. I can see Bitwarden Lite spawns identity, api, admin, icons, notifications and nginx, but in the /etc/bitwarden/logs/ directory I don’t see a log file for nginx - though there are log file for the other five spawns.
I feel like I’ve tried quite a lot and still don’t have much more of an idea what the problem is that’s stopping mTLS from working. Does anyone have a running Bitwarden Lite instance, that’s configured with mTLS, who could help me solve this issue?
Thanks,
RipeAndReady