Wiki update: Setting up TLS #562

New Issue

Closed

opened 2026-02-04 21:33:43 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-04 21:33:43 +03:00

Owner

Copy Link

Originally created by @Dubz on GitHub (Jan 13, 2020).

Unless I overlooked them, there aren't any notes specifying these key points when configuring SSL for containers.

• Certificates must be in RSA format. If they aren't, it will complain it could not parse the environment variables and fail to start. I spent a lot of time trying to use an ECDSA key not realizing this. Switched to RSA and things started working (after cleaning up other debugging steps I took)
• Use the environment variable ROCKET_PORT to change the system to listen on 443 if necessary. I had to do this for it to run on Google Cloud Platform (GCP). You could probably also just port forward 443 to 80 if you'd like, but this seems to be a more ideal solution, at least for me. You can always change the port to something completely different as well if desired (ex. 8443).
• If you plan on using Cloudflare in front of your install, I highly recommend using the Full (Strict) SSL/TLS option if possible. This ensures the highest level of security (meaning your server has a valid signed certificate being used).

---

To use Cloudflare with minimal hassle and not having to fight with LetsEncrypt:

1. Generate an origin certificate if desired, it's free for all plans on Cloudflare
2. Install the certs to your container storage somewhere
3. Use ROCKET_TLS to point to both files
4. Use ROCKET_PORT to change the default port to 443
5. Switch Full (Strict) SSL/TLS on for the domain on Cloudflare

Note the longest period a generated origin cert can be set valid for is 15 years. Additionally, these certs are only trusted by Cloudflare's origin servers (hence why it's signed by them). The general public's browsers will still freak out. There is a possibility the cert will be terminated earlier than 15 years at Cloudflare's discretion, and you would need to update your cert again if/when it expires or gets revoked. This is just a matter of signing in to your control panel, clicking a few things, copying the text, and pasting it over the files on your server, then reloading it. Sure, not automated like LE, but considering the time it takes in comparison, it's not that bad. You can always regenerate new certs ahead of time as well, to extend the final expiration date.

I'm not expecting all of this to be added to the wiki. I'm just dropping it here in case anyone else is having issues and can't figure it out. Might save them some time.

Originally created by @Dubz on GitHub (Jan 13, 2020). Unless I overlooked them, there aren't any notes specifying these key points when configuring SSL for containers. - Certificates must be in RSA format. If they aren't, it will complain it could not parse the environment variables and fail to start. I spent a lot of time trying to use an ECDSA key not realizing this. Switched to RSA and things started working (after cleaning up other debugging steps I took) - Use the environment variable `ROCKET_PORT` to change the system to listen on 443 if necessary. I had to do this for it to run on Google Cloud Platform (GCP). You could probably also just port forward 443 to 80 if you'd like, but this seems to be a more ideal solution, at least for me. You can always change the port to something completely different as well if desired (ex. 8443). - If you plan on using Cloudflare in front of your install, I highly recommend using the `Full (Strict)` SSL/TLS option if possible. This ensures the highest level of security (meaning your server has a valid signed certificate being used). --- To use Cloudflare with minimal hassle and not having to fight with LetsEncrypt: 1. Generate an origin certificate if desired, it's free for all plans on Cloudflare 1. Install the certs to your container storage somewhere 1. Use `ROCKET_TLS` to point to both files 1. Use `ROCKET_PORT` to change the default port to 443 1. Switch `Full (Strict)` SSL/TLS on for the domain on Cloudflare Note the longest period a generated origin cert can be set valid for is 15 years. Additionally, these certs are only trusted by Cloudflare's origin servers (hence why it's signed by them). The general public's browsers will still freak out. There is a possibility the cert will be terminated earlier than 15 years at Cloudflare's discretion, and you would need to update your cert again if/when it expires or gets revoked. This is just a matter of signing in to your control panel, clicking a few things, copying the text, and pasting it over the files on your server, then reloading it. Sure, not automated like LE, but considering the time it takes in comparison, it's not that bad. You can always regenerate new certs ahead of time as well, to extend the final expiration date. I'm not expecting all of this to be added to the wiki. I'm just dropping it here in case anyone else is having issues and can't figure it out. Might save them some time.

OVERLORD closed this issue 2026-02-04 21:33:45 +03:00

OVERLORD commented 2026-02-04 21:33:51 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Jan 14, 2020):

Yeah the wiki is a bit lacking in some places, if you could help complete it that would be great, I think mentioning at least the RSA format and the port info would help. I think a short mention about the cloudflare setup wouldn't hurt either.

https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS

@dani-garcia commented on GitHub (Jan 14, 2020): Yeah the wiki is a bit lacking in some places, if you could help complete it that would be great, I think mentioning at least the RSA format and the port info would help. I think a short mention about the cloudflare setup wouldn't hurt either. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS

OVERLORD commented 2026-02-04 21:33:57 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (May 14, 2020):

Closed due to inactivity.

@dani-garcia commented on GitHub (May 14, 2020): Closed due to inactivity.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#562