Use Let’s Encrypt dns-01 challenge during self-hosted installation

[yobyot]

I may have missed it. But I can’t see in the code where one can specify dns-01 with a wait time for a Let’s Encrypt challenge on ./bitwarden install.

Self-hosters running in VMs behind proxies will have real issues using other, non pause-able LE challenges.

Without this capability one has to run certbot on the VM and arrange to have certs renewed, copied to ./bwdata/ssl and restart the nginx container on a cron schedule.

Not hard but not convenient.

[glen4cindy]

I've been searching for the right command structure to modify the certbot section of run.sh.

I'm trying various experiments using docker installed certbot but have not been successful.
I have been able to manually run certbot but then it installs the certificates into /etc/letsencrypt/live/{your_domain} so this is less than ideal. I think you may have to copy them to the proper place in the bwdata folder but I'm not sure.

[Alextocode]

Hi there,

it is possible to make it working with Cloudflare and DNS Challenge, I implemented this in my local network at home.
But Bitwarden should support such natively.
I am not saying that their should be connectors to a thousand DNS vendors' APIs, but the current solution means to modify the run script (run.sh or run.ps1) and since these changes may not get lost, also the bitwarden script needs to be adjusted to avoid that any bitwarden command overwrites the run.sh

I am thinking of a mechanism to include custom code in a separate file.
For instance in the installation and in the LetsEncryptUpdate functions there should be a condition that checks for the existence of a custom script file in the same folder with a hardcoded name like "custom.sh" and if this file exists it invokes the custom code for Let's Encrypt challenge instead of the regular certbot http challenge.

I hope the Bitwarden developers consider this suggestion.

Cheers!

Alex

[rawsmr]

Hi @Alextocode,

maybe you could push your current code into a branch and we could work together on it. I need this feature, too, so as many others would benefit from this feature. If we can do this by calling an external script, the change to the run.sh would be minor and doesn't need further developement in the future. Plus, many other certbot plugins can be added as well.

Hope this work will be appreciated and get merged sometime.

So long!
Robert

[Alextocode]

Hi @rawsmr
I will have a look. Right now I just commented out the original part in the run.sh and replaced it with own code.
For pushing it into another branch I have to make it different obviously, so it becomes more dynamic.
And I also have to make an equivalent in PowerShell - however in PowerShell I am firm since I am actually a Windows guy but for Docker I decided to go on Linux.

Happy new year!

Alex