Been using Vaultwarden for 3 years now. Love it. Latest upgrade doesn’t allow logging in using my existing self signed cert. I know this is not recommended, but I like the 1 year update and forcing a file to be loaded before logging in and not requiring a 3 month update to Cloudflare etc.
Do I need to re-create the self signed certificate or is this method no longer supported?
I have gone back to 1.34.3 and all is well.
Why not try Let’s Encrypt? You can use Caddy as a reverse proxy in front of Vaultwarden and it’ll automatically manage your certificates.
Are you deploying Vaultwarden using Docker? In that case I would recommend caddy-docker-proxy.
Thank you for that reply. I am using Nginx proxy manager for all of my containers, including Vaultwarden on a few other servers in my house as a backup in case something like this happens. I like to keep Vaultwarden running on a separate machine, in this case a raspberry pi 3b+ running Buster/Debian 10 which just recently went into the unsupported bin. I think my docker engine is too old as well (26.1.1), the log files indicate that 1.35.1 isn’t even starting up. So like many things, the problem lies elsewhere, not just the self signed cert as I initially expected.
thanks for the caddy recommendation. That looks pretty good. I will stick with Nginx for now and keep caddy in my back pocket. Time to rebuild the pi using either Bullseye or Bookworm.
You can pair let’s encrypt with nginx proxy too.
In 2024 I splurged and bought a numeric 1.111b xyz domain for 0.99$/yr but if you shop around others pay 0.85$ or 0.83$ /yr. Best thing I ever did for my homelab. Now caddy generates/renews LetsEncrypt certificates for my machines through DNS challenge so no open ports. Never have to give it a second thought.
If rebuilding the pi it might be a good time to use a zero maintenance LetsEncrypt setup with proper certificates.
Great suggestion. I just did this with Cloudflare. Will try caddy-docker-proxy on a test Pi and see how that goes
I bought a numeric domain for 85 cents, pretty awesome!
Just spent the day working on caddy-docker-proxy. No luck with it. It appears to want to connect to Cloudflare with an A record that points to a public IP address. I don’t expose Vaultwarden and want the DNS Record to point to an internal IP address. Nginx Proxy Manager can do this using DNS Challenge and an API token. I will try doing this with a “regular” caddy docker container.
At that price having a domain is a no-brainer and to a geek like me a numbered domain is even cooler.
My networking knowledge is rudimentary compared to others here. This post on the caddy forums was helpful to me. I use the caddy docker image mentioned since it has cloudflare modules. At home my dnsmasq in my router is set to resolve my numbered domain to the local IP address. Outside my free cloudflare account will resolve to my current public IP address due to DDNS but I have no open ports.
Ok I got caddy to work from taking GitHub files from Jim’s Garage, creating a cloud flare custom module thing and it worked great, almost on the first try. Time will tell how the renewals go as I block all external access on any machine that runs Vaultwarden. Will have to manually update or setup a schedule where external access is allowed for a short time. Uptime Kuma has a sweet way to monitor certificate expiration dates and I have that running already.