SSL encryption without access to the Internet and without a self-created certificate?

We want to use Vaultwarden purely locally.

It is running under the domain vault.domain.local. Unfortunately I can’t use the web interface because it has to run under https.

I am familiar with the LetsEncrypt certificates, but I can’t do that because I don’t have an internet connection to validate them, and it wouldn’t be possible with a .local address either.

A self-created certificate is also out of the question because we would then have to roll it out on all end devices.

How do you manage to use the “local”?

I read that there are also DNS requests from LetsEncrypt. But how will that work. If the Docker container on which we host it locally has absolutely no access to the outside. Except for the moment when we did the “Docker-Compose up -d”. Then the gate to the outside was closed again.

I hope I get good and suitable suggestions.

PS: I read the page in the wiki but didn’t understand directly how it should work without the internet.

Unfortunately with a .local domain I cannot think of any other way to get certificates to work properly other than to load the certs into each devices’ Trusted Root Certificate Authorities. This would be true of any service or webpage being run under a .local domain and where certificates must be used.

If this cannot be done, then using a proper trusted certificate with a valid domain and hostname would be required.

DNS challenges for Let’sEncrypt differ from the HTTP challenge in that it does not require a response from the host requesting the certificate on ports 80 or 443.
Instead the DNS challenge validates domain ownership to LE by adding a TXT record to your DNS provider.
To see more please read

When you say that the server running Vaultwarden has no internet access is it such that there are simply no port forwarding rules to allow for access into the server outside from the greater internet or do you specifically have firewall rules which block internet access from the Vaultwarden server to the greater internet in that it cannot access external facing services?

If it is the latter and the server is completely offline, then the only methods I could think possible would be either:

  1. Purchase and load a valid certificate for the Vaultwarden service, this could be specifically for Vaultwarden or be a wildcard certificate.
  2. Generate free Let’sEncrypt certificates on another machine with internet access, after the cert has been validated it can then be loaded into Vaultwarden. (Generally this would be best practice for segregating credentials)

Might I ask as to what the thought process is in the need to have the server completely disconnected from WAN? This will need to be allowed for further updates to be pulled when they are released.