Support for DNS-01 Challenge for SSL Certificate Renewal

Feature Requests Password Manager
, ,
1

I would like to request formal support for the DNS-01 challenge method when renewing SSL certificates in the self-hosted Bitwarden server.

My self-hosted Bitwarden instance is located behind a firewall with strict inbound access rules. As part of my maintenance routine, the server is configured to update automatically once per week. However, if the SSL certificate is within 30 days of expiry at the time of the update, the server fails to start after updating because it cannot complete HTTP-01 based certificate renewal due to the firewall restrictions.

This results in downtime, requiring me to manually open the firewall, restart Bitwarden to trigger certificate renewal, and then re-secure the firewall—a process that is both inconvenient and error-prone.

Support for the DNS-01 challenge would enable certificate renewal to occur without needing inbound HTTP access, resolving this issue entirely in environments with restricted network access. Given that many users run Bitwarden behind firewalls or in non-public network segments, I believe this would be a valuable addition to improve resilience and automation in such deployments.

Thank you for considering this feature.

2

A significant complexity with this is that the DNS-01 challenge requires the use of an API with your DNS provider to update the DNS record. Unfortunately, there is no standardization for said APIs, meaning there would likely need to be individual mechanisms for each DNS provider.

3

Certbot already supports a wide range of DNS providers through existing plugins and community-developed scripts. These are well-maintained and widely used in various production environments.

Rather than implementing native API support for each DNS provider within Bitwarden itself, a possible approach could be to allow users to bring their own Certbot configuration or hook scripts. This would enable those who need DNS-01 to integrate with their specific DNS provider using existing Certbot capabilities, without Bitwarden needing to manage those API interactions directly.