Trying to make bitwarden_rs play nicely with traefik and docker-compose. Would love some help!
Local Link | Content link | Reddit Link
r/selfhostedu/needselfhosthelp (6)

Hi everyone,

I'm trying to set up Bitwarden_rs and Traefik on a DigitalOcean droplet, but I'm not having much luck. I've successfully gotten Traefik working (although it took around ten hours) and now I'm trying to use Bitwarden_rs with it.

Currently, whenever I try and connect to warden.domain.tld, I get an error message saying that:

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

I also get this:

The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.

Here are my traefik.toml and docker-compose.yaml files. I removed some personal info for privacy reasons, but the rest is exactly how it looks on the server. I would love any help I can get - I'm new to all this and thoroughly stumped!

EDIT: Fixed! For people in the future, try recreating your acme.json file. If you get a gateway timeout warning after, remove traefik.docker.network=web and replace it with networks: web.

Comments (8)

Couple questions to help isolate this down:

Did you try another browser aside from Firefox?

Did you double check to make sure the certificates were actually created?

These 3 lines are what are turning on HSTS

- "traefik.frontend.headers.forceSTSHeader=true"

- "traefik.frontend.headers.STSIncludeSubdomains=true"

- "traefik.frontend.headers.STSPreload=true"

But rather than turn that off it would be better to find the issue and resolve it. HSTS is a great thing.

I also tried it in Chrome. Do you know how to check if the certificates were created? I ran docker-compose in verbose mode but I didn't get any certificate errors.

Check the ./acme.json file it should have the certs info in there.

If you can't find the volume then do it inside the container.

docker ps -a

Get the container name, then

docker exec -it [container-name] bin/ash

using bin/ash because you're using the alpine version.

Then poke inside the acme.json file and see what's in there.

Turns out I needed to recreate the acme.json file! Thanks :)

Looks like your bitwarden isn't on a network with traefik. You want traefik to be able to proxy to it. Try setting bitwarden to also use network: web.

Are those labels correct in your docker-compose.yml?

Here is mine (my provider is Cloudflare):

``` traefik: image: traefik container_name: traefik restart: always networks: - proxy ports: - 80:80 - 443:443 volumes: - /var/run/docker.sock:/var/run/docker.sock - /opt/docker/traefik/traefik.toml:/traefik.toml - /opt/docker/traefik/acme.json:/acme.json command: --api --docker environment: - CF_API_EMAIL=... - CF_API_KEY=...

bitwarden: image: mprasil/bitwarden:latest container_name: bitwarden restart: always networks: - internal - proxy volumes: - /opt/docker/bitwarden:/data/ environment: - SIGNUPS_ALLOWED=true - ROCKET_TLS={certs="/data/ssl/cert.crt",key="/data/ssl/priv.key"} - ROCKET_PORT=443 labels: - traefik.frontend.rule=Host:bitwarden.mydomain - traefik.docker.network=proxy - traefik.protocol=https - traefik.port=443 ```

Thank you!!!! I modified my docker-compose.yaml to replace the network label with the actual network, and that fixed everything!

[deleted]

Hi Nick, just wanted to say thanks. That HomelabOS repo is a really great reference