Hi.
I'm close to be totally desperate.
Since two days I'm trying to install Bitwarden onto my TS251. It's working, but I can't manage to have SSL running perfectly.
My Setup:
QNAP TS251 (Container Station installed and two Container running)
(Sub-)Domain registered at all-inkl - I'm using the Premium package whcih allows me to modify SSL and DNS entries, etc.
DDNS configured via all-inkl, but I can't create a certificate from all-inkl
DDNS configured on my NAS (qnap mycloudservices)
FritzBox 7490 (Portfording http 5xxx0 -> 5xxx0 and https 5xxx1 to 5xxx1)
Bitwarden (using multiple docker container, which are being merged via Docker-Compose)
Android mobile phone with Bitwarden App
The Installation of Bitwarden was successfull, eventhough it took me hours to find a way to do so - I had to do it via SSH on the NAS - I was never using SSH on the NAS before...
The installation file (bitwarden.sh) is placed at /share/CACHEDEV1_DATA/Container
The created data is at /share/CACHEDEV1_DATA/Container/bwdata
Without SSL the installation is working fine. With SSL I keep having issues.
What I've done already:
1. during the installation I've tried to create the certificate with Let's encrypt - it fails because port 80 is in use already
2. tried to start certbot manually (docker run -it --rm --name certbot -p 60000:80 ... obeviously with aportforwarding on port 60000 on my router). It's starting, but keeps failing at the verification of my domains, both the all-inkl Domain as well as the myqnapcloud ddns domain
3. tried to get a certificate from all-inkl for my ddns domain (home.xxx.de) which didn't work either.
4. I've configured the DDNS of QNAP (xxx.myqnapcloud.com). The creation of a certificate using Let's Encrypt did work from the QNAP Webinterface. I've downloaded it and integrated it into ngix.
SSL is working now - all browsers are giving positive feedback. But when tryint to add the server to the android app it can't connect. I was asking the developer of Bitwarden and he told me, that this sounds like the certificate chain is incorrect. So I've checked that on ssllabs.com/ssltest and he was right: the certificate chain is incorrect.
So now I've rolled back to my version without SSL. My subdomain at all-inkl is redirected to my ddns sub domain at all-inkl including the forwarded port (redirect from pw.bla.de to home.bla.de:5xxx0)
Since two days I've tried so many diffrent things - I can't even remember all of them anymore.
I'm not an expert and almost desperate... I'm willing to pay someone who's helping me with my problem and who's able to create a fully working solution with me - maybe also using Teamviewer or something else.
I've run out of ideas.
Thanks for your help!
André
PS: Some resources I've used to get as far as I am now:
https://xpenology.com/forum/topic/12455 ... on-docker/
https://help.bitwarden.com/article/install-on-premise/
https://support.comodo.com/index.php?/K ... ion--nginx
-update-
Oh my god, it's finally working!
Another user with the exact same problem as I've had found a way to overcome the android issue.
Download the active intermediate certificates from letsencrypt.org/certificates and import them as usercertificates on your mobile. This just did the job!
Bitwarden on TS251 (with SSL and all-inkl)
-
- Starting out
- Posts: 20
- Joined: Mon Sep 04, 2017 10:28 pm
Bitwarden on TS251 (with SSL and all-inkl)
Last edited by andre85 on Wed Jul 25, 2018 2:28 am, edited 2 times in total.
- dolbyman
- Guru
- Posts: 35274
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Bitwarden auf TS251 (mit SSL und all-inkl)
Bitte nur in Englisch schreiben .. Ansonnsten gibt es eine deutsche Community
Please write in English only .. There is a German community forum alternative
https://forum.qnapclub.de/
Please write in English only .. There is a German community forum alternative
https://forum.qnapclub.de/
-
- Starting out
- Posts: 20
- Joined: Mon Sep 04, 2017 10:28 pm
Re: Bitwarden auf TS251 (mit SSL und all-inkl)
Oh, sorry, didn't notice - I'll translate my post.
-
- Easy as a breeze
- Posts: 279
- Joined: Mon Jul 14, 2014 9:14 am
Re: Bitwarden on TS251 (with SSL and all-inkl)
I realize this thread is old, but I'm guessing that the correct fix is to offer up the cert chain with your certificate.
it is just a text file and you can append the root and any intermediate certs.
https://help.bitwarden.com/article/install-on-premise/
it is mentioned in the second link under SSL Certificate section.
much easier than modifying all the clients you may use.
it is just a text file and you can append the root and any intermediate certs.
https://help.bitwarden.com/article/install-on-premise/
it is mentioned in the second link under SSL Certificate section.
much easier than modifying all the clients you may use.
Model name: TS-653D
Firmware version: 4.5.3.1697 build 20210611
Volumes: EXT4, Encrypted volume
Previous: TS-651 dead by CPU bug
Firmware version: 4.5.3.1697 build 20210611
Volumes: EXT4, Encrypted volume
Previous: TS-651 dead by CPU bug
-
- Starting out
- Posts: 14
- Joined: Fri Oct 23, 2009 6:10 pm
- Location: Denmark
Re: Bitwarden on TS251 (with SSL and all-inkl)
Hi There,
I'm about to install the Bitwarden container and was wondering what you mean with:
Can't you just create the container from container station?
Do you have to do it from SSH?
If you followed a guide, could you post the link?
Friendly regards
Stefan B. Christensen
I'm about to install the Bitwarden container and was wondering what you mean with:
What exactly did you do?The Installation of Bitwarden was successfull, eventhough it took me hours to find a way to do so - I had to do it via SSH on the NAS - I was never using SSH on the NAS before...
Can't you just create the container from container station?
Do you have to do it from SSH?
If you followed a guide, could you post the link?
Friendly regards
Stefan B. Christensen
_____________________________________________________________________________
TVS-673e 2x SSD, 4x 6TB HGST NAS HDD (2018-)
✝TVS-663 w. 16G RAM, 2x SSD, 3x 6TB HGST NAS HDD
✝TS-469 Pro w. 4x 3TB WD RED
✝TS-239 Pro w. 2x 1/2/4TB (2007 -> 2019-05 after +12 years of 24/7 service)
TVS-673e 2x SSD, 4x 6TB HGST NAS HDD (2018-)
✝TVS-663 w. 16G RAM, 2x SSD, 3x 6TB HGST NAS HDD
✝TS-469 Pro w. 4x 3TB WD RED
✝TS-239 Pro w. 2x 1/2/4TB (2007 -> 2019-05 after +12 years of 24/7 service)
-
- Getting the hang of things
- Posts: 90
- Joined: Sun Mar 14, 2010 2:20 pm
Re: Bitwarden on TS251 (with SSL and all-inkl)
Hi all,
Sorry for the necroposting but there are not many topics on that subject on the forum so I thought it would be nice to re-activate this discussion.
I've just finished deploying Bitwarden (actually it's Vaultwarden now) on my Qnap TS-251+ and the process was relatively smooth and easy.
I mostly followed the tutorial that you can find here: https://scyzoryk.fubar.pl/bitwarden-on-qnap/ with some minor adaptation:
1. For the docker compose I used the Vaultwarden image and a slightly more up to date version of Nginx
Note that my instance of bitwarden is running on ports 8000 (http) and 8443 (https), feel free to change it to whatever works for you. Also change the ADMIN_TOKEN to your own token generated using the command
2. In the tutorial there is a small typo in the Nginx config, the redirection from http to https will not work. In the nginx.conf file line 6 should read:
Notice the https port number 8443
3. To generate the SSL certificate, I used a minimalistic ssl configuration file named qnap.conf as follows:
Change the certificate information to match your own context and add the various names and IPs of your nas under "alt_names".
Once the file is ready generate the certificate and its private key using the command below:
Copy the files in the right location as indicated in the tutorial.
4. FInally, in order to have client browsers and apps accept the self signed certificate you will have to install it locally. This is especially true for the Bitwarden application on Android which will refuse to connect to your BItwarden/Vaultwarden instance on your NAS with its self-signed certificate unless you do the following:
Navigate to your (hopefully fully functional) Bitwarden install on your NAS with Firefox. View the certificate details and save the cerificate chain on your disk.
Transform the certificate using the following command (on any computer with openssl installed):
Now import the .der.crt certificate in your Android device. Things should work now.
Voilà, I hope my contribution will be helpful to you. Let me know if you need more details.
Sorry for the necroposting but there are not many topics on that subject on the forum so I thought it would be nice to re-activate this discussion.
I've just finished deploying Bitwarden (actually it's Vaultwarden now) on my Qnap TS-251+ and the process was relatively smooth and easy.
I mostly followed the tutorial that you can find here: https://scyzoryk.fubar.pl/bitwarden-on-qnap/ with some minor adaptation:
1. For the docker compose I used the Vaultwarden image and a slightly more up to date version of Nginx
Code: Select all
version: '3'
services:
bitwarden:
image: vaultwarden/server:latest
expose:
- "80"
volumes:
- ./data/bitwarden:/data
restart: on-failure
environment:
WEBSOCKET_ENABLED: 'true'
ADMIN_TOKEN: 'INSERT_YOUR_TOKEN_HERE'
logging:
driver: "json-file"
nginx:
image: nginx:1.23.1-alpine
ports:
- "8000:80"
- "8443:443"
volumes:
- ./data/nginx:/etc/nginx
- ./data/ssl:/etc/ssl
bw_backup:
image: bruceforce/bw_backup:latest
container_name: bw_backup
restart: on-failure
depends_on:
- bitwarden
volumes:
- ./data/bitwarden:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- ./data/bitwarden:/backup_folder/
environment:
- DB_FILE=/data/db.sqlite3
- BACKUP_FILE=/backup_folder/db_backup/backup.sqlite3
- BACKUP_FILE=/data/db_backup/backup.sqlite3
- CRON_TIME=0 5 * * *
- TIMESTAMP=false
- UID=0
- GID=0
Code: Select all
openssl rand -base64 48
Code: Select all
return 301 https://$host:8443$request_uri;
3. To generate the SSL certificate, I used a minimalistic ssl configuration file named qnap.conf as follows:
Code: Select all
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = YOUR_2_LETTER_COUNTRY_CODE
ST = YOUR_STATE
L = YOUR_CITY
O = YOUR_ORGANIZATION
OU = YOUR_ORGANIZATIONAL_UNIT
CN = FQDN_OF_YOUR_NAS_SERVER
[v3_req]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = fqdn.of.the.nas
DNS.2 = ip.address.of.the.nas
DNS.3 = hostname.of.the.nas
Once the file is ready generate the certificate and its private key using the command below:
Code: Select all
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/bitwarden.key -out /etc/ssl/certs/bitwarden.crt -config qnap.conf -extensions 'v3_req'
4. FInally, in order to have client browsers and apps accept the self signed certificate you will have to install it locally. This is especially true for the Bitwarden application on Android which will refuse to connect to your BItwarden/Vaultwarden instance on your NAS with its self-signed certificate unless you do the following:
Navigate to your (hopefully fully functional) Bitwarden install on your NAS with Firefox. View the certificate details and save the cerificate chain on your disk.
Transform the certificate using the following command (on any computer with openssl installed):
Code: Select all
openssl x509 -inform PEM -outform DER -in nas-bitwarden-chain.pem -out bitwarden.der.crt
Now import the .der.crt certificate in your Android device. Things should work now.
Voilà, I hope my contribution will be helpful to you. Let me know if you need more details.
- dolbyman
- Guru
- Posts: 35274
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Bitwarden on TS251 (with SSL and all-inkl)
I leave this post intact but will close the topic for necroposting