Im trying to setup a self hosted bitwarden instance on my hetzner Dedicated server. Its running an NGINX reverse proxy and bitwarden. however when i look into my nginx error logs i can only see:
2024/08/06 21:34:16 [error] 378441#378441: *1902 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstream, client: 46.5.x.x, server: bitwarden.x.co, request: "GET /favicon.ico HTTP/2.0", upstream: "https://127.0.0.1:8800/favicon.ico", host: "bitwarden.x.co", referrer: "https://bitwarden.x.co/"
when trying to load the site. (it also displays a 502 Bad Gateway nginx message in browser). I dont want to use the built in certbot because i have to stop my nginx instance everytime i want to launch bitwarden (port 80 is already in use by nginx => certbot container cant launch).
my nginx server block (located in the default config file) is the following:
server {
if ($host = bitwarden.x.co) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
#listen [::]:80 ipv6only=on;
server_name bitwarden.x.co;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
#listen [::]:443 ssl;
server_name bitwarden.x.co; # REPLACE HERE
error_log /etc/nginx/logs/bitwarden_error.log warn;
access_log /etc/nginx/logs/bitwarden_access.log;
set $upstream https://127.0.0.1:8800;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Forwarded $proxy_add_x_forwarded_for;
client_max_body_size 256m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
ssl_certificate /etc/letsencrypt/live/bitwarden.x.co/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/bitwarden.x.co/privkey.pem; # managed by Certbot
#include snippets/ssl-params.conf;
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass $upstream;
}
}
and i symbolic linked the contents of ‘/etc/letsencrypt/live/bitwarden.x.co’ to ‘/opt/bitwarden/bwdata/ssl’.
the bwdata/config.yml is the following:
url: https://bitwarden.x.co
#
# Auto-generate the `./docker/docker-compose.yml` config file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/DockerCompose.hbs
generate_compose_config: true
#
# Auto-generate the `./nginx/default.conf` file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Template: https://github.com/bitwarden/server/blob/master/util/Setup/Templates/NginxConfig.hbs
generate_nginx_config: true
#
# Docker compose file port mapping for HTTP. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
http_port: 8801
#
# Docker compose file port mapping for HTTPS. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
https_port: 4434
#
# Configure Nginx for Captcha.
captcha: false
#
# Configure Nginx for SSL.
ssl: true
#
# SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_versions:
#
# SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphersuites:
#
# Installation uses a managed Let's Encrypt certificate.
ssl_managed_lets_encrypt: false
#
# The actual certificate. (Required if using SSL without managed Let's Encrypt)
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_certificate_path: /etc/ssl/fullchain.pem
#
# The certificate's private key. (Required if using SSL without managed Let's Encrypt)
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_key_path: /etc/ssl/privkey.pem
#
# If the certificate is trusted by a CA, you should provide the CA's certificate.
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_ca_path:
#
# Diffie Hellman ephemeral parameters
# Learn more: https://security.stackexchange.com/q/94390/79072
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_diffie_hellman_path: /etc/ssl/certs/dhparam.pem
i dont know where else to go from this, i renamed the old bwdata/letsencrypt/live to bwdata/letsencrypt/live_bak. i must note that the configuration worked somewhat with certbot docker container enabled but as i said its not practical since everything is running on the same machine.
edit:
i also checked “docker exec -it b155edada64f /bin/bash”
which shows “Error response from daemon: Container b155edada64faa6883392cb071b8cefd5c0d1bb0127702c9faad834b02d8607e is restarting, wait until the container is running”