SSO Unhealthy without Encryption

Ask the Community Password Manager
,
1

Hi,

I have spun up multiple vm’s Ubuntu, Fedora etc… Total count 5 or so. Each one tried different variables with regards to encryption, watched youtube videos, followed tutorials, searched for hours online, modified countless files and I have not been able to successfully login one time!

One variable has been constant the entire time is that I have home Internet service that blocks port 80, so I am not able to do a let’s encrypt cert natively within the setup.

I signed up for a Cloudflare account and have that all setup, so really i just need to answer no, no no to all types of encryption and certs so that I can allow the Cloudflare to do it’s thing while the BW sits safely behind it.

Unfortunately, that is not the case. Any combination of answers I give the bw install yields the same general result, I cannot login (with errors)

I have tried all the fun changes like adding network to web and sql and changing the version to 2023.1.

The more changes I make the worse it gets, the last few spinups have yielded an unfixable sql/sso error that I cannot overcome.

A lot of the stuff I have been following is not super recent, and would have figured that a solid install would have matured by now, at least for those that had proxies or otherwise safe ways’ to host without bw’s help locking it down. but that seems is not the case.

I have not tried centOS yet as based on what I have read seems to be more troublesome that most.

Part of me wishes that I could just host it myself on windows server, iis, sql and rid myself of these docker containers which seem to be the weak point. I have heard rumblings of some that have played with the idea but nothing solid enough on the “tube” or documented that I could give it a stab with.

I do see that there are ALOT of other issues selfhosted and online in this community regarding all facets of BW and almost feel nervous continuing on to putting all my eggs in this basket. Not so much because of a lack of security, it would be for a fear of not easily spinning up another VM and being able to restore from a backup and having to troubleshoot all over again if needed be that concerns me the most.

Although it is probably the better option, I just cannot feel comfortable with all my info regardless of how secure hosted by BW in the cloud.

Anyone with any ideas it would be greatly appreciated

Btw, I’ve had a lot of fun working this project so far and feel like it wasn’t time wasted even if I don’t work it out. It is though a shame that there are so many problems.

All the Best and thanks in advance,
T

2

Hey @Tonedog2112 and welcome to the community,

I would say it sounds like you’ve made a right mess of things that’s for sure :joy:
Hopefully you are only in testing and not too far along down the rabbit-hole just yet.

I would say your best option here in my opinion may be to use LE to run a DNS challenge against Cloudflare if the direct HTTP method does not work for you.
In this case it looks like certbot is well integrated with Cloudflare, so you could automate the DNS challenge and renewal and then pass this into Bitwarden self-host by following the steps for using an existing SSL certificate.
You may also need to run ./bitwarden.sh rebuild and ./bitwarden.sh start and probably run this with cron or something similar every ~60-85 days or so.

You could check out the Bitwarden Unified but this is in beta currently, so if stability and reliability for your important information is critical then you may wish to stay with the standard install.
(Though I would argue this makes a good case to always have regular and recent backups of your critical information; such as your password vault, within another system as well.
Remember “two is one, and one is none.”) :wink:

Hope this helps :slightly_smiling_face: