I'm currently installing Bitwarden, which normally automates certbot in its setup sh script. However, I'm trying to do the SSL cert manually because their install (and update) script only support HTTP challenge.
I'm a little confused with how to manually specify the certificate directory in certbot since this is all running in a Docker container, and I'm not very good with Docker.
The Bitwarden install script uses certbot defaults and outputs to /etc/letsencrypt/live/my.domain, which is actually remapped due to the Docker/Nginx environmont.
docker run -it --rm --name certbot -p 80:80 -v /opt/bitwarden/letsencrypt:/etc/letsencrypt/
Per the Bitwarden documentation, I can use my own SSL certificate by saving (1) the server cert, (2) the CA cert, and (3) the private key to ./bwdata/ssl/your.domain.
So my questions are:
How do I specify a different output path for certs/key, given the Docker/Nginx environment?
Do I need to include the same path commands when doing a renew command? Or is renew intelligent enough to recognize the current directory?
I read the documentation that discusses specifying paths, but am unsure if I use that, or if I can simply change the mapped (bound?) directory in the certbot command itself.
Would something like this be correct?
(I have no real experience with Docker, so I'm completely guessing about the items below)
docker run -it --rm --name certbot -p 80:80 \
-v /opt/bitwarden/letsencrypt:/etc/letsencrypt/ \
--cert-path /opt/bitwarden/bwdata/ssl/my.domain/ \
--key-path /opt/bitwarden/bwdata/ssl/my.domain/ \
certonly \
<the rest of my --dns-cloudflare arguments>
Edit: Afterthought- does the certbot save the certs to the host, then binds the container dir to the host dir? So the certs in the container are links rather than the actual files?
You won't be able to get certbot to output two files into one file. [as needed by bitwarden]
You can instruct certbot to copy the needed files into a third file [after each successful cert issuance] with a "--post-hook" script.
See: User Guide — Certbot 2.10.0.dev0 documentation
The renewal configuration stores the last working command [it's smart enough] to redo it as it last worked. All you would have to say to renew all your certs is:
certbot renew
[which should already be scheduled to run/check twice a day]
Sorry, it seems bitwarden can use the cert as separate files.
That said, it's generally not best practice to mess with anything "under the certbot hood" [unless you really know what you're doing down there].
It's much simpler to let certbot do whatever it already does [quite well - many years of thought/upgrades are included in their latest version]. And then just copy the files from that default location to wherever you need them.
OR create sym-links in the default bitwarden file location that point to the certbot file location.
OR instruct bitwarden to use the location where certbot has placed those files:
There's no option in the bitwarden config.yml file to change the default/expected certificate directory, so I think I'll avoid sym links in the off chance that pointing config.yml to the same directory that bitwarden uses as the default leads to issues.
That leaves me with using a post-hook to move the certificates. To make sure I have this correct, these would be my steps?
Create copy-certs.sh, change perms to 755, then move it to /etc/letsencrypt/renewal-hooks/post/copy-certs.sh
The script is labeled "copy" and then it "moves" files.
Please don't "move" any files out of the /etc/letsencrypt/ folders.
Do "copy", Don't "move".
[use "cp" instead of "mv"]
Step #2: Problem 1:
The `certbot container is set to use:
But the "copy-certs" script uses:
Which should likely be: cp /etc/letsencrypt/live/my.domain/* /etc/ssl/my.domain/
Step #2: Problem 2:
The -v settings seem to end *differently:
[one has a trailing slash - the other doesn't - separated for visibilty]
I think they should both end the same way.
Step #3: Note: Certbot installations usually create cron type job [or systemd timers].
Step #4: That is a question for the bitwarden support channel.
I can only guess... Bitwarden isn't affected by docker; So, it should be able to be set to wherever you copy the files.
Can I ask why? What issues would moving certs to another folder cause?
If I don't move them out of there, I'm concerned that Bitwarden will see scripts in the 'excepted' directory and not treat them as custom certs. Otherwise, I would just use a symlink and avoid all the other work.
Bitwarden, by default, looks for certs in /etc/letsencrypt/live/my.domain. The scripts that Bitwarden uses to update certificates is coded to use that directory/write to it/detect certificates in there.
They allow you to use custom certificates, but prefer /opt/bitwarden/bwdata/ssl/my.domain. You can change that folder by editing the config.yml, but I don't think it should be changed to point to /etc/letsencrypt/live/my.domain (Bitwarden's default) because having custom SSL certs where they expect the default scripts may conflict with how their scripts work.
While there are options in config.yml to specify the directory for custom SSL cert, there is no option to change Bitwarden's default/expected directory.
