Bitwarden on TS251 (with SSL and all-inkl)

[andre85]

Hi.

I'm close to be totally desperate.
Since two days I'm trying to install Bitwarden onto my TS251. It's working, but I can't manage to have SSL running perfectly.

My Setup:
QNAP TS251 (Container Station installed and two Container running)
(Sub-)Domain registered at all-inkl - I'm using the Premium package whcih allows me to modify SSL and DNS entries, etc.
DDNS configured via all-inkl, but I can't create a certificate from all-inkl
DDNS configured on my NAS (qnap mycloudservices)
FritzBox 7490 (Portfording http 5xxx0 -> 5xxx0 and https 5xxx1 to 5xxx1)
Bitwarden (using multiple docker container, which are being merged via Docker-Compose)
Android mobile phone with Bitwarden App

The Installation of Bitwarden was successfull, eventhough it took me hours to find a way to do so - I had to do it via SSH on the NAS - I was never using SSH on the NAS before...
The installation file (bitwarden.sh) is placed at /share/CACHEDEV1_DATA/Container
The created data is at /share/CACHEDEV1_DATA/Container/bwdata

Without SSL the installation is working fine. With SSL I keep having issues.

What I've done already:
1. during the installation I've tried to create the certificate with Let's encrypt - it fails because port 80 is in use already
2. tried to start certbot manually (docker run -it --rm --name certbot -p 60000:80 ... obeviously with aportforwarding on port 60000 on my router). It's starting, but keeps failing at the verification of my domains, both the all-inkl Domain as well as the myqnapcloud ddns domain
3. tried to get a certificate from all-inkl for my ddns domain (home.xxx.de) which didn't work either.

4. I've configured the DDNS of QNAP (xxx.myqnapcloud.com). The creation of a certificate using Let's Encrypt did work from the QNAP Webinterface. I've downloaded it and integrated it into ngix.
SSL is working now - all browsers are giving positive feedback. But when tryint to add the server to the android app it can't connect. I was asking the developer of Bitwarden and he told me, that this sounds like the certificate chain is incorrect. So I've checked that on ssllabs.com/ssltest and he was right: the certificate chain is incorrect.

So now I've rolled back to my version without SSL. My subdomain at all-inkl is redirected to my ddns sub domain at all-inkl including the forwarded port (redirect from pw.bla.de to home.bla.de:5xxx0)

Since two days I've tried so many diffrent things - I can't even remember all of them anymore.
I'm not an expert and almost desperate... I'm willing to pay someone who's helping me with my problem and who's able to create a fully working solution with me - maybe also using Teamviewer or something else.

I've run out of ideas.

Thanks for your help!

André

PS: Some resources I've used to get as far as I am now:
https://xpenology.com/forum/topic/12455 ... on-docker/
https://help.bitwarden.com/article/install-on-premise/
https://support.comodo.com/index.php?/K ... ion--nginx

-update-
Oh my god, it's finally working!
Another user with the exact same problem as I've had found a way to overcome the android issue.
Download the active intermediate certificates from letsencrypt.org/certificates and import them as usercertificates on your mobile. This just did the job!

[dolbyman]

Bitte nur in Englisch schreiben .. Ansonnsten gibt es eine deutsche Community

Please write in English only .. There is a German community forum alternative

https://forum.qnapclub.de/

[andre85]

Oh, sorry, didn't notice - I'll translate my post.

[raidforsaving]

I realize this thread is old, but I'm guessing that the correct fix is to offer up the cert chain with your certificate.

it is just a text file and you can append the root and any intermediate certs.

https://help.bitwarden.com/article/install-on-premise/

it is mentioned in the second link under SSL Certificate section.

much easier than modifying all the clients you may use.

[Anata mo]

Hi There,

I'm about to install the Bitwarden container and was wondering what you mean with:

The Installation of Bitwarden was successfull, eventhough it took me hours to find a way to do so - I had to do it via SSH on the NAS - I was never using SSH on the NAS before...

What exactly did you do?
Can't you just create the container from container station?
Do you have to do it from SSH?
If you followed a guide, could you post the link?

Friendly regards
Stefan B. Christensen

[googleg]

Hi all,
Sorry for the necroposting but there are not many topics on that subject on the forum so I thought it would be nice to re-activate this discussion.

I've just finished deploying Bitwarden (actually it's Vaultwarden now) on my Qnap TS-251+ and the process was relatively smooth and easy.

I mostly followed the tutorial that you can find here: https://scyzoryk.fubar.pl/bitwarden-on-qnap/ with some minor adaptation:

1. For the docker compose I used the Vaultwarden image and a slightly more up to date version of Nginx

Code: Select all

version: '3'

services:
  bitwarden:
    image: vaultwarden/server:latest
    expose:
      - "80"
    volumes:
      - ./data/bitwarden:/data
    restart: on-failure
    environment:
      WEBSOCKET_ENABLED: 'true'
      ADMIN_TOKEN: 'INSERT_YOUR_TOKEN_HERE'
    logging:
      driver: "json-file"
      
 
  nginx:
    image: nginx:1.23.1-alpine
    ports:
      - "8000:80"
      - "8443:443"
    volumes:
      - ./data/nginx:/etc/nginx
      - ./data/ssl:/etc/ssl


  bw_backup:
    image: bruceforce/bw_backup:latest
    container_name: bw_backup
    restart: on-failure
    depends_on:
      - bitwarden
    volumes:
      - ./data/bitwarden:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - ./data/bitwarden:/backup_folder/
    environment:
      - DB_FILE=/data/db.sqlite3
      - BACKUP_FILE=/backup_folder/db_backup/backup.sqlite3
      - BACKUP_FILE=/data/db_backup/backup.sqlite3
      - CRON_TIME=0 5 * * *
      - TIMESTAMP=false
      - UID=0
      - GID=0

Note that my instance of bitwarden is running on ports 8000 (http) and 8443 (https), feel free to change it to whatever works for you. Also change the ADMIN_TOKEN to your own token generated using the command

Code: Select all

openssl rand -base64 48

2. In the tutorial there is a small typo in the Nginx config, the redirection from http to https will not work. In the nginx.conf file line 6 should read:

Code: Select all

 return 301 https://$host:8443$request_uri;

Notice the https port number 8443

3. To generate the SSL certificate, I used a minimalistic ssl configuration file named qnap.conf as follows:

Code: Select all

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = YOUR_2_LETTER_COUNTRY_CODE
ST = YOUR_STATE
L = YOUR_CITY
O = YOUR_ORGANIZATION
OU = YOUR_ORGANIZATIONAL_UNIT
CN = FQDN_OF_YOUR_NAS_SERVER
[v3_req]
basicConstraints     = CA:TRUE
subjectKeyIdentifier = hash
keyUsage             = digitalSignature, keyEncipherment
extendedKeyUsage     = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = fqdn.of.the.nas
DNS.2 = ip.address.of.the.nas
DNS.3 = hostname.of.the.nas

Change the certificate information to match your own context and add the various names and IPs of your nas under "alt_names".

Once the file is ready generate the certificate and its private key using the command below:

Code: Select all

openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout  /etc/ssl/private/bitwarden.key -out /etc/ssl/certs/bitwarden.crt -config qnap.conf -extensions 'v3_req'

Copy the files in the right location as indicated in the tutorial.

4. FInally, in order to have client browsers and apps accept the self signed certificate you will have to install it locally. This is especially true for the Bitwarden application on Android which will refuse to connect to your BItwarden/Vaultwarden instance on your NAS with its self-signed certificate unless you do the following:

Navigate to your (hopefully fully functional) Bitwarden install on your NAS with Firefox. View the certificate details and save the cerificate chain on your disk.

Transform the certificate using the following command (on any computer with openssl installed):

Code: Select all

openssl x509 -inform PEM -outform DER -in nas-bitwarden-chain.pem -out bitwarden.der.crt

Now import the .der.crt certificate in your Android device. Things should work now.

Voilà, I hope my contribution will be helpful to you. Let me know if you need more details.

[dolbyman]

I leave this post intact but will close the topic for necroposting