this post was submitted on 22 Dec 2024
37 points (97.4% liked)

Selfhosted

40728 readers
318 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
37
submitted 2 days ago* (last edited 2 days ago) by Linsensuppe to c/selfhosted@lemmy.world
 

I want to host a Vaultwarden (or Bitwarden if necessary) instance, but it keeps asking for a domain and a SSL certificate. I dont own a domain and dont want to enable port forwarding on my router to expose it to the outside.

Is it possible to host a instance only internally and access it via the IP or a domain set on my local DNS? How about SSL is it possible and/or necessary?

top 19 comments
sorted by: hot top controversial new old
[–] prenatal_confusion 3 points 1 day ago

I am hosting vaultwarden locally (docker) and just don't use the Webinterface. The Firefox addon and the bitwarden desktop tool work just fine. Also the android app syncs.

[–] SirMaple__@lemmy.world 23 points 2 days ago

You can use any domain you like. I personally have an actual domain that I only use inside my network. This way I can get SSL certs from Let's Encrypt using the DNS challenge which doesn't require any ports being opened. You can use self signed certs but I would strongly suggest using certs from the likes of Let's Encrypt.

Here are 2 pages on this subject

https://github.com/dani-garcia/vaultwarden/wiki/Private-CA-and-self-signed-certs-that-work-with-Chrome

https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS

[–] interdimensionalmeme@lemmy.ml 2 points 2 days ago

You are in luck, I just made this. Https, no reverse proxy needed

proxmox install script for Vaultwarden

https://forum.proxmox.com/threads/a-proxmox-install-script-for-vaultwarden.159510/#post-732319

[–] irotsoma@lemmy.world 4 points 2 days ago

It's good to use SSL even if you don't plan to use it externally. At some point you may change your mind, or you may need to access it via VPN and there may be one hop between your browser and the VPN that will then be in plain text. Plus, not all devices are trustworthy anymore. An Android or iPhone device might have "malware" (including from reputable companies like Google trying to track you for ad purposes but recording unsecured http traffic to do it.) Or a frienday bring a bad device over and connect to your wifi and inadvertently capture that traffic. Lots of ways for internal traffic to be spied on.

Google: "how to create self signed certificate authority on "

And if that article doesn't have it, google: "how to create a domain certificate from a self signed certificate authority".

It doesn't have to be a valid external domain, just use ".internal" as the top level domain which is reserved for this kind of thing, like "vaultwarden.internal". You can also just use IP addresses in the certificate, but I find that less desirable.

Then google: "how to add a trusted certificate authority on <all your OS's of all internal devices>”. Depending on what web browser you use, you may need to add it there as well. Once the certificate authority is trusted by your devices and browsers, then the domain certificate created by that CA will be as well.

You can set your expiration dates to be far in the future if you want, to avoid having to create new ones often, but be sure to document how just so in 5 or 10 years or so, if it's still that way, you'll know how to update them.

[–] ShellMonkey@lemmy.socdojo.com 5 points 2 days ago

Like others said, self signed or internal only domains work. Really though for the minimal cost of generally less than $20/year you can make it a lot easier by just buying a domain.

From a pure security stance it could be argued that a personally owned CA is more secure than any public one since it's possible for others to create a trusted cert with a public entity. Cloudflare ends up doing that for any domains you register with them, but that's really only an issue for things facing the web and using self signed certs will typically cause problems for any pre-compiled client apps you might use.

[–] superglue@lemmy.dbzer0.com 3 points 2 days ago (1 children)

Buy an xyz domain for like $1. If you choose a domain that just 9 random numbers its super cheap.

So something like 123456789.xyz

Then setup a SWAG container with DNS challenge. Join vaultwarden into the same docker network as SWAG, then add an entry to your router to point to vaultwarden using a subdomain.

[–] interdimensionalmeme@lemmy.ml 1 points 2 days ago (3 children)

If it's just a bunch of numbers, why not just use the ip address?

[–] icedterminal@lemmy.world 4 points 2 days ago (1 children)

TLS.

While technically you can use TLS with a self signed certificate, it creates additional problems with a public facing service. Only recommended for internal services.

[–] interdimensionalmeme@lemmy.ml 1 points 2 days ago (1 children)

Other than having accept a self signed certificate, what's the problem to using the ip address? Mine hasn't changed in years.

[–] icedterminal@lemmy.world 2 points 4 hours ago

Some self hosted services refuse to work if you use a self signed certificate with your public facing IP. They only allow self signed certificates when using one of the handful of private addresses.

Some apps on mobile devices for the service you use won't work unless a trusted certificate is used. A self signed certificate behind the scenes creates an error that isn't handled and you can't connect.

You lose the ability to have a proxy in front to handle abuse so your server is spared the headache. You need a domain to do this.

[–] superglue@lemmy.dbzer0.com 1 points 1 day ago

It makes SSL certs insanely easy. $1 a year is worth it to me to not have to deal with self signed certs.

[–] numanair@lemmy.ml 1 points 2 days ago
[–] DesolateMood@lemm.ee 3 points 2 days ago

I set mine up with duckdns and caddy. In duckdns set the ip address to your machines local address. If memory serves, there's a section in the vaultwarden wiki about using caddy with duckdns

[–] kolorafa@lemmy.world 3 points 2 days ago

I did saw You could also use Tailscale and use their internal signed certificates. Then you can access it both internally and remotly over Tailscale with SSL.

Personally I own a domain for years and just use it.

[–] hendrik@palaver.p3x.de 3 points 2 days ago* (last edited 2 days ago)

Good question. You could set a domain name point to your IP in your router. That has different names, might be hosts-file or just buried somewhere in the DNS settings of the router. Or machinename.local or .lan works. That should give you some internal domain name, valid inside of your network / wifi.

Getting proper certificates without exposing anything is tricky. If that's really needed: You'd either generate a self-signed certificate manually and import that onto your devices. Or you need to do some trickery with letsencrypt's DNS challenge. That's not super easy, but possible: https://m.youtube.com/watch?v=qlcVx-k-02E

I don't use Bitwarden. There might be another specific solution to do it.

[–] Tinkerer@lemmy.ca 2 points 2 days ago

I know the desktop, and mobile apps work without https, however I can't remember if you can set it up via those apps?

I ran vaultwarden for a couple of years without q certificate, I just couldn't log into my instance via the browser.

[–] makingrain@lemm.ee 2 points 2 days ago

Reverse proxy + LetsEncrypt + DuckDNS + DNS rewrite to point it at local IP is all you need. Works quite well for all my services.

I prefer Keepass as it is less faff as a password manager is too critical to host like this imo.

Self signed certs will work. You can Google how to set them up.

[–] a@91268476.xyz 1 points 2 days ago

@Linsensuppe@feddit.org it is possible to create your own certificates, but I highly recommend buying a domain (for 1-2 dollars a year) and use lets encrypt for the certificates, otherwise you will have to deal with a lot of issues (like generating and installing your own root certificates)