I’m trying to install BW on Ubuntu.
If I install it with a self signed certificate, it works without problems, I can see in the browser the login page.
But I already have a wildcard SSL certificate from Lets Encrypt. So when the installer asked “Do you have a SSL certificate to use?” I replied Yes and also yes for Trusted Certificate question.
Bitwarden requires 3 files for the SSL: ca.crt, certificate.crt, private.key.
My LetsEncrypt certificate has 4 files: cert.pem, chain.pem, fullchain.pem, privkey.pem.
So I did the following conversions:
openssl x509 -outform der -in chain.pem -out ca.crt
openssl x509 -outform der -in fullchain.pem -out certificate.crt
openssl ec -outform der -in privkey.pem -out private.key (my certificate was generated with an EC key, not RSA)
If I use these converted certificates with BW, it does not work, there is no reply in browser from BW server.
What do I have to do in order to use my LetsEncrypt certificate with my local Bitwarden server?
Hi @bw-soso, have you already checked out this article on using an existing SSL certificate?
If that doesn’t help, our support team could help troubleshoot further.
Thanks, I already read the article, but it does not help. The article says that I need 3 certificate files (ca.crt, certificate.crt, private.key) but my LetsEncrypt certificate consists of these files: cert.pem, chain.pem, fullchain.pem, privkey.pem.
I also generated a SSL certificate for a new domain from another provider and it gave those 3 files: ca.crt, certificate.crt, private.key. I reinstalled BW on the new domain, I copied the 3 files to ssl/bw-domain/ folder, BW starts with success but from the browser it still does not want to connect to BW server (err connection refused).
As I mentioned, the install works with a self signed certificate. It just does not want to work with my certificates.
One more thing about my setup, I don’t know if it is relevant: the computer hosting the BW server is not accessible from internet. I added to my internal DNS a record that maps bw.mydomain.com to server’s IP. Does the computer hosting the BW server needs to be accessible from the internet when using a real SSL certificate?
I am not sure the above is 100% correct.
Fullchain.pem is not the certificate. You should use cert.pem in your second step (I think).
I finally solved the problem.
I generated a new certificate from ZeroSSL, they provided me with those 3 files that BW expected, ca.crt, certificate.crt, private.key. I copied the files to ssl/mydomain folder, it still did not work. Trying all kind of things, I got to decrypt the private.key using openssl. I placed the decrypted private.key in ssl/mydomain folder and it worked.
I went back to my original wildcard SSL certificate from Letsencrypt. I combined the fullchain.pem and privkey.pem into a .pfx file. Then I generated the certificate.crt and private.key from the .pfx file using openssl. I copied the files to ssl/mydomain and it worked with my LetsEncrypt SSL certificate. The ca.crt was not required.