Unable to install vaultwarden on docker (Ubuntu 20.04)

1

Hi,
it’s been 3 days of trying to install vaultwarden on my vm. I ahve tried some guides (Including the one in the docs with caddy, the one in Linode’s website -which comes up first when searching ‘self host vaultwarden’- and some diverse tips from reddit) and I haven’t been able to access it anytime.
Following the Linode’s guide, I had to change caddy’s port number as it conflicted with the vaultarden one, and it didn’t fix the issue. I have been able to receive a certificate from lets encrypt but even after it I still encounter problems.

When accessing it from a local pc I get an ‘ERR_SSL_PROTOCOL_ERROR’, while when I try to connect to it from my domain (I am sure it is properly forwarded as I have tried with ncat to see that the requests are reaching the correct ports) i get an ‘ERR_EMPTY_RESPONSE’.

Any clue on what I have done wrong?

My Caddyfile -without my domain-
My run script

2

Caddyfile should point to the same network that is open for the Vaultwarden network. In your case localhost 127.0.0.1 with ports 8080 and 3012.

Try that and rerun, also I would check to make sure both containers are running and caddy logs show a proper cert pulled. You’ll need FW ports forwarded for the VM and DNS record pointed for ACME cert validation, unless using DNS only cert validation.

3

I’m not sure what you are referring to as ‘FW ports’. I have forwarded port 80 and 443 to the VM and I have A entries on cloudflare to my ip. I have disabled Cloudflare’s proxies temporarily as I read in a post that they didn’t allow the certificate request to complete.
After changing the ip on the Caddyfile as you mentioned, I’m getting the error attached below. In previous attempts to get the certificate, when reading the logs they reported that I had been able to get it, but now I’m not sure why not.

Would DNS only validation work more easily? How can I do that?

Thanks for your support

The caddy logs

4

Why are you testing via the outside world first? Aren’t you testing access locally first before adding CF into the mix? Do you run a DNS server (like Unbound) on your network? From your Caddy file it looks like you are using TLS challenge?

I’d definitely suggest trying something like DNS challenge – this will require you own a domain and your DNS records are managed by a provider that supports ACME – like CF.

You’re aware you can always test your configuration using an ACME tool like acme.sh. I’m not saying you have to rely on this method but it’s a lot easier sometimes to test against such a tool to see if LE cert functions are working.

5

I’m not sure why I´m trying from the outside world, I was just testing if CF would provide the certificate my server was lacking. I had tried before locally but without any luck.
Which process do you suggest to do things? I’m new to caddy and vaultwarden, I don’t know how neither of them operate.
I’m running pihole locally. I don’t know how to set up dns challenge on caddy, I was following guides and ended up with that file.

I currently own a domain so that isn’t a problem.

6

Update: reinstalled vaultwarden and caddy and rewrote my Caddyfile. I created self signed certificates and attempted to access vw locally. Now I get a 502 error, when reading through the caddy logs I can see that caddy receives the request but it reports that the vw server refused the connection. vw logs show no error.

Edit: Forgot to add that the run script is the same and the caddy file looks almost identical but serving local certificates instead of using let’s encrypt ones.

Edit 2: Exact error:
{"level":"error","ts":1644188243.8428655,"logger":"http.log.error","msg":"dial tcp 127.0.0.1:8080: connect: connection refused","request":{"remote_addr":"<addr>","proto":"HTTP/2.0","method":"GET","host":"<host>","uri":"/","headers":{"Dnt":["1"],"Sec-Fetch-Site":["cross-site"],"Sec-Fetch-Dest":["document"],"Accept-Language":["en-US,en;q=0."],"Sec-Fetch-Mode":["navigate"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Sec-Ch-Ua-Mobile":["?0"],"Cache-Control":["max-age=0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Sec-Fetch-User":["?1"],"Sec-Ch-Ua":["\"Chromium\";v=\"96\", \" Not A;Brand\";v=\"99\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":"<host>"}},"duration":0.000635757,"status":502,"err_id":"pbzx38fcq","err_trace":"reverseproxy.statusError (reverseproxy.go:886)"}

7

Sorry I can’t provide much support since I don’t use Caddy…:frowning:

8

I’ve figured out that the only issue is caddy. Vaultwarden works from the docker pc when I try to access it with curl (I should have tried earlier), so I guess it’s working fine. I changed the IP to its local IP to test it from another computer and the register form works flawlessly except that it obviously requires HTTPS to work. I’ll try different approaches with Caddy on a few days to try to fix the certificate issue.

If anyone has any idea to solve it, I will be more than happy to try it out, anyways thanks a lot for helping me get here.

As soon as I find the solution to the problem, I will post it here.

9

Finally solved it. I ended up creating a new VM using Alpine to have things organized and installed docker on it.
I installed Traefik following the tutorial by TechnoTim on YouTube about local ssl and then changed the settings for my custom environment. After getting the certificate, I tried connecting locally and it worked, so I forwarded the required ports for accessing it remotely and had no problems with it, neither with the web vault or the web sockets notifications.

I think the problem I was having was that caddy wasn’t forwarding the requests as I wanted to (mostly because I hadn’t used caddy before, so I must have written my caddyfile wrong in some way). Once I got Traefik working I had no problems.
It also could have been that my domain was a freenom domain and as I read some time after first trying, cloudflare doesn’t allow API usage for them, so I couldn’t get the certificate.

Thanks for the support here. It got me to the point where I could figure things out for myself.