Issues with certificates for Vaultwarden on Synology(Xpenology )

Hi all.

I encountered a certificate problem when using Vaultwarden in a docker container on Synology (Xpenology), please help.
Yesterday I spent the whole day trying to solve this problem and it did not work :frowning:
I read the Wiki but unfortunately did not understand how to solve my problem.

Describing what I did:
I want Vaultwarden to be available only when connected to my VPN.

On Synology, I downloaded and installed Docker, then I installed the vaultwarden image, set port 8080.
The final http address of vaultwarden is: http:// , but https is required for registration.

Next, I set up Reverse-proxy in Synology, Proctol: https, port 443, address: vaultwarden.
Final https:// vaultwarden.local

After that, I was able to register in the system, open it on my home PC, connect through the browser extension.
But when opening https:// vaultwarden.local in Chrome on Android (connected via Wi-Fi to the home network), the page did not open, as I understand it, due to the fact that the request goes anyway through Google DNS, the Bitwarden app on the phone didn’t connect for the same reason.
I installed an Android emulator on a PC and tried to open a link on it in a browser - the site does not open. The Bitwarden app didn’t work on the emulator either.

I realized that the link https:// is needed so that I can open it on my phone in the browser and in the application. I exported the Synology certificates and tried using it in the ROCKET_TLS variable. After that, I managed to open the page in the browser on the phone, but in the application I began to receive the error “Exception message: Trust anchor for certification path not found”.

Then I decided to try forwarding ports on the router for Synology. I set up DuckDNS on Synology in DDNS and got certificates in Let’s n Encrypt. Exported the received certificates, there were 6 pieces in the archive: ECC-cert.crt, ECC-fullchain.pem, ECC-key.pem, RSA-cert.crt, RSA-fullchain.pem, RSA-key.pem (could have made a mistake in the names ). After that, I disabled port forwarding and any external access to Synology. Next, I tried using the combinations ECC-fullchain.pem, ECC-key.pem or RSA-fullchain.pem, RSA-key.pem in the ROCKET_TLS variable, as a result:

The page https:// opens, the browser extension is connected.
On the phone
Page https:// opens, Bitwarden app error “Exception message: Trust anchor for certification path not found”

Tell me what am I doing wrong? :frowning:
How can I correctly configure vaultwarden on Synology so that it is only accessible via VPN, there is no access to it from an external network and the Bitwarden application works on Android?