[sethammons]

I use bitwarden too, but I can't figure out how to get the cert to automatically update. I have port 443 served by Caddy2 and use that as a reverse proxy to Bitwarden, but Bitwarden wants to bind to 443 to update the cert. So, for now, it is a case of manually stopping Caddy, updating Bitwarden, and starting Caddy back up. The downtime is only acceptable because I only host personal stuff.

[exhilaration]

Here's what worked for me:

Run the bitwardenrs container without SSL:

sudo docker pull bitwardenrs/server:raspberry

sudo docker run -d --name bitwarden --restart always -e ADMIN_TOKEN=your_admin_token -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:raspberry

Proxy through Caddy (note that I'm using DuckDNS for DNS):

curl https://getcaddy.com | bash -s personal tls.dns.duckdns

nohup caddy -http-port 999 -conf /etc/caddy/Caddyfile -envfile /etc/caddy/CaddyEnvFile -agree -email YOUR_EMAIL@gmail.com &

(the port 999 is because we've already got docker container running on port 80)

Follow the examples here for the configuration: https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examp...

[hanklazard]

I’ve been running it in a docker container plugged into the nginx reverse proxy and letsencrypt companion containers. The latter claims to automatically update certs though I haven’t had it running long enough to test it. Unless you’re set on using Caddy, it’s a pretty straightforward option.

Instructions here: https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-compan...

[forty]

The issue with this kind of solution is that you need to pass your docker socket to the container. Not great.

[hanklazard]

Can you elaborate on why this is a problem? I'm fairly new to docker (and not a programmer / dev), so I'll take any tips I can get!

[forty]

It basically ruins most isolation/security benefits containers provide, since having root access to this socket allows to nearly have root access to the host. This is something you want to really avoid.

I don't really have a good solution to this "reload service when certificates are updated" problem that doesn't involve heavier container orchestration.