I would like to have a vaultwarden instance running and am struggling with the certificates for caddy. I would like to have the vaultwarden only available internally (LAN) and have wildcardcertificates for my local domain as well as control over local DNS. I also have already an apache up and running serving already as reverse proxy for other web things (tomcat,…), so if there is an easy way to use this already existing reverseproxy, I’d also be pleased but I’d also be fin using the suggested caddy docker container.
What happened:
I’ve made a fresh virtual machine (artix 6.7.7) and at first I created a directory for vaultwarden to live in: /vw-data/. Then I used this command to create a docker network:
docker ntwork create vaultwarden_network
and proceeded with:
docker run --rm -it vaultwarden/server /vaultwarden hash
Vaultwarden seemed to do what it was supposed to do and asked for a password. After setting the password, I got the ADMIN Token as described. I created a docker-compose.yaml with the following content at the /vw-data location:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
labels:
caddy: vaultwarden.2f-leuchten.com
caddy.reverse_proxy: "{{upstreams}}"
restart: always
environment:
- WEBSOCKET_ENABLED=true
- SIGNUPS_ALLOWED=true
- INVITATIONS_ALLOWED=false
- ADMIN_TOKEN=THE-TOKEN-FROM-EARLIER
- DOMAIN=https://vaultwarden.2f-leuchten.com
volumes:
- vaultwarden_data:/data
networks:
- vaultwarden_network
depends_on:
- caddy
caddy:
image: lucaslorentz/caddy-docker-proxy:ci-alpine
container_name: reverse-proxy
ports:
- 80:80
- 443:443
environment:
- CADDY_INGRESS_NETWORKS=vaultwarden_network
- DOMAIN=https://vaultwarden.2f-leuchten.com
EMAIL=administrator@2f-leuchten.com
networks:
- vaultwarden_network
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- caddy_data:/data
restart: unless-stopped
networks:
vaultwarden_network:
external: true
volumes:
vaultwarden_data: {}
caddy_data: {}
after starting the whole thing now with:
docker-compose up -d
while standing in the directory with the docker-compose.yaml I get messages at
docker-compose logs vaultwarden
stating, that the atuomatic certificate generation with let’s encrypt is not working properly as the required DNS entries are missing (which is correct, as we only want to use our internal DNS for the whole shebang, which is not accessible by Let’s Encrypt). I tried to add an entry to the caddy part of docker-compose.yaml(part of “volumes” in the caddy part) as follows:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
and made a Caddyfile at /etc/caddy on the host in the hopes this would help. The Caddyfile looks like this:
{
# Causes all certificates to be issued internally by default,
# rather than through a (public) ACME CA such as Let’s Encrypt.
local_certs
}
vaultwarden.2f-leuchten.com:443, localhost:443 {
# Or uncomment this if you’re providing your own cert. You would also
# use this option if you’re running behind Cloudflare.
tls /etc/ssl/certs/2f-leuchten.com.pem /etc/ssl/certs/2f-leuchten.com.key
}
I also placed the certificate files to the given path on the host (/etc/ssl/certs/2f-leuchten.com.pem as well as /etc/ssl/certs/2f-leuchten.com.key
After doing that and restarting the containers via docker-compose down → docker-compose up -d, when I check the log with
docker-compose logs vaultwarden
I only get the following output. No further errors of any Certificate issuing going wrong:
[vaultwarden vw-data]# docker-compose logs vaultwarden
vaultwarden | /--------------------------------------------------------------------\
vaultwarden | | Starting Vaultwarden |
vaultwarden | | Version 1.30.5 |
vaultwarden | |--------------------------------------------------------------------|
vaultwarden | | This is an *unofficial* Bitwarden implementation, DO NOT use the |
vaultwarden | | official channels to report bugs/features, regardless of client. |
vaultwarden | | Send usage/configuration questions or feature requests to: |
vaultwarden | | https://github.com/dani-garcia/vaultwarden/discussions or |
vaultwarden | | https://vaultwarden.discourse.group/ |
vaultwarden | | Report suspected bugs/issues in the software itself at: |
vaultwarden | | https://github.com/dani-garcia/vaultwarden/issues/new |
vaultwarden | \--------------------------------------------------------------------/
vaultwarden |
vaultwarden | [2024-03-05 15:57:13.761][start][INFO] Rocket has launched from http://0.0.0.0:80
vaultwarden | [2024-03-05 15:57:13.761][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
But when I browse the URL via browser I get no certificate on response and an error stating:Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
When I check on the host, what ports are open, I get the following output:
[vaultwarden vw-data]# sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:42177 0.0.0.0:* LISTEN 2290/containerd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7024/docker-proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3109/sshd: /usr/bin
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 7004/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 7028/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 3109/sshd: /usr/bin
tcp6 0 0 :::443 :::* LISTEN 7008/docker-proxy
and when I check from outside the host I’ll get the following:
[manoca@lumpy ~]$ nmap vaultwarden.2f-leuchten.com
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-05 17:01 CET
Nmap scan report for vaultwarden.2f-leuchten.com (30.0.99.96)
Host is up (0.00082s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
So the ports seem all open and fine, but Caddy is not serving my certificates.
As you might already have noticed, I have no idea about docker containers, and therefore am struggling quite a bit figuring things out. So every hint on how this is supposed to be set up is highly appreciated 