Switch from managed letsencrypt SSL support to self-managed

Hello.

Bitwarden is running successfully on my own server (Installation was pretty easy).
During setup I activated the integrated managed SSL support via letsencrypt. It works so far, however I find it annoying each time the bitwarden.sh script is invoked the certificate is checked for renewal (leads to very long delays: “Non-interactive renewal: random delay of 364 seconds”).

Therefore I decided to manage the SSL certificate by my own.
I updated bwdata/config.yml and changed the parameters ssl_managed_lets_encrypt, ssl_certificate_path and ssl_key_path and performed bitwarden.sh rebuild afterwards.

However it seems like still the certificates of the included letsencrypt are used and still with each invocation of bitwarden.sh the certificate is checked for renewal.

How can I completely disable the integrated letsencrypt support and use my own certificates with an existing deployment (already lots of passwords in it)?

I use LETSENCRYPT for another project and it takes 1-2 seconds to renew…

wonder why bitwarden takes so long…

LW renewal checks in my test installation usually take just a few seconds, so I am not sure why its taking so long for you.

If you are no longer using LE, try deleting the LE directory under ./bwdata/ssl so that renewals are no longer attempted.

Yes, letsencrypt takes usually only a few seconds for renewing/checking certificates. No idea why there are “random delays” inserted here.

However, I ended up with exporting all password data, reinstalling bitwarden without integrated letsencrypt support and re-importing all data again (btw I was wondering if there is a way to export/import ALL data from the vault, because CSV does not include all fields - URL settings are missing for example?)

I know this topic is 2 years old, but I just switched from BW’s builtin LetsEncrypt (which relies on A records) to using acme.sh via dns (using CloudFlare). That way I don’t have to expose port 80/443 to the internet.

Like OP, I updated bwdata/config.yml to change true to false like so:

ssl_managed_lets_encrypt: false

and update

ssl_certificate_path: /etc/ssl/domain/certificate.crt
ssl_key_path: /etc/ssl/domain/private.key

As mentioned in the documentation, however I found that the builtin letsencrypt would still run every time I ran the script to update.

I had to go into /bwdata/letsencrypt and then delete everything in there. Now, everything works as expected.