I’m trying to install BW on Ubuntu.
If I install it with a self signed certificate, it works without problems, I can see in the browser the login page.
But I already have a wildcard SSL certificate from Lets Encrypt. So when the installer asked “Do you have a SSL certificate to use?” I replied Yes and also yes for Trusted Certificate question.
Bitwarden requires 3 files for the SSL: ca.crt, certificate.crt, private.key.
My LetsEncrypt certificate has 4 files: cert.pem, chain.pem, fullchain.pem, privkey.pem.
So I did the following conversions:
openssl x509 -outform der -in chain.pem -out ca.crt
openssl x509 -outform der -in fullchain.pem -out certificate.crt
openssl ec -outform der -in privkey.pem -out private.key (my certificate was generated with an EC key, not RSA)
If I use these converted certificates with BW, it does not work, there is no reply in browser from BW server.
What do I have to do in order to use my LetsEncrypt certificate with my local Bitwarden server?
Hi @bw-soso, have you already checked out this article on using an existing SSL certificate?
If that doesn’t help, our support team could help troubleshoot further.
Thanks, I already read the article, but it does not help. The article says that I need 3 certificate files (ca.crt, certificate.crt, private.key) but my LetsEncrypt certificate consists of these files: cert.pem, chain.pem, fullchain.pem, privkey.pem.
I also generated a SSL certificate for a new domain from another provider and it gave those 3 files: ca.crt, certificate.crt, private.key. I reinstalled BW on the new domain, I copied the 3 files to ssl/bw-domain/ folder, BW starts with success but from the browser it still does not want to connect to BW server (err connection refused).
As I mentioned, the install works with a self signed certificate. It just does not want to work with my certificates.
One more thing about my setup, I don’t know if it is relevant: the computer hosting the BW server is not accessible from internet. I added to my internal DNS a record that maps bw.mydomain.com to server’s IP. Does the computer hosting the BW server needs to be accessible from the internet when using a real SSL certificate?
I am not sure the above is 100% correct.
Fullchain.pem is not the certificate. You should use cert.pem in your second step (I think).
I finally solved the problem.
I generated a new certificate from ZeroSSL, they provided me with those 3 files that BW expected, ca.crt, certificate.crt, private.key. I copied the files to ssl/mydomain folder, it still did not work. Trying all kind of things, I got to decrypt the private.key using openssl. I placed the decrypted private.key in ssl/mydomain folder and it worked.
I went back to my original wildcard SSL certificate from Letsencrypt. I combined the fullchain.pem and privkey.pem into a .pfx file. Then I generated the certificate.crt and private.key from the .pfx file using openssl. I copied the files to ssl/mydomain and it worked with my LetsEncrypt SSL certificate. The ca.crt was not required.
Doing all this work isn’t necessary. Just copy the needed Letsencrypt files to the ssl directory and reference them in the config file. You can leave the CA file blank.
ssl_certificate_path: /etc/ssl/fullchain.pem
ssl_key_path: /etc/ssl/privkey.pem
ssl_ca_path:
Then do “./bitwarden.sh rebuild” and you’re all set.