Vaultwarden without Access to the Internet (Internal CA from Microsoft)

The following is the case:

We would like to test and possibly use Vaultwarden in our environment, but the following must be guaranteed. The server does not have and will not have access to the Internet. We would also like to use a Microsoft server to manage the certificates.

Is obsolescence via Microsoft certificates possible, if so, where do they have to be stored at Vaultwarden?

Currently we still have the problem that Vaultwarden can be reached via http, but any HTTPS connection does not want to work. In another test environment (6 months ago) this still works with the note that the site is not secure, so far that would be OK and understandable.

If someone knows how I can solve the whole thing with the HTTPS/certificate via a Microsoft server, I would be grateful for any help.

If you are using an external certificate provider, you’ll need to configure whatever reverse proxy you’re using to accept them (having Vaultwarden directly handle certificates is not recommended. As for where they are stored, that’s up to you. On linux, /etc/ssl/certs is common. Main thing is that you ensure your reverse proxy has permission to read them.

Using IIS as your reverse proxy would probably give you the best experience when integrating with Windows Certificate Services. I think it has built-in automation for rotating certs. Haven’t used it in a while though, so I can’t say for sure.


If using something else, like Caddy, see below:

If using Caddy as your reverse proxy, you could do this by adding local_certs to the global portion of the Caddyfile. That will ensure it will never try to reach out to let’s encrypt. Then you add the file path to the relevant certificates to a site-specific portion of the Caddyfile so it will pick those up.

Ultra-thin Example:

{
	# Causes all certificates to be issued internally by default, 
	# rather than through a (public) ACME CA such as Let's Encrypt.
	local_certs
}
warden.mydomain.com:443, localhost:443 {
	# Or uncomment this if you're providing your own cert. You would also
	# use this option if you're running behind Cloudflare.
	tls /etc/ssl/certs/fullchain.pem /etc/ssl/certs/privkey.pem
}

After configuring the reverse proxy to use your certs, the only thing you need to do is ensure that you run caddy reload --config '/etc/caddy/Caddyfile' everytime the certificate file is updated.

Nginx and Apache would also work and also require you to reload them every-time the certificate changes.