Certificate Options
This article defines the certificate options available to self-hosted instances of Bitwarden. You will select your certificate option during installation.
note
The information in this article may not apply to Bitwarden Unified self-hosted deployments.
Let's Encrypt is a certificate authority (CA) that issues trusted SSL certificates free of charge for any domain. The Bitwarden installation script offers the option to generate a trusted SSL certificate for your domain using Let's Encrypt and Certbot.
Certificate renewal checks occur each time Bitwarden is restarted. Using Let's Encrypt will require you to enter an email address for certificate expiration reminders.
Using Let's Encrypt requires ports 80 and 443 to be open on your machine.
If you change the domain name of your Bitwarden server, you will need to manually update your generated certificate. Run the following commands to create a backup, update your certificate, and rebuild Bitwarden:
Bash
Bash./bitwarden.sh stop
mv ./bwdata/letsencrypt ./bwdata/letsencrypt_backup
mkdir ./bwdata/letsencrypt
chown -R bitwarden:bitwarden ./bwdata/letsencrypt
chmod -R 740 ./bwdata/letsencrypt
docker pull certbot/certbot
docker run -i --rm --name certbot -p 443:443 -p 80:80 -v <Full Path from / >/bwdata/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --email <user@email.com> --logs-dir /etc/letsencrypt/logs
Select 1, then follow the instructions:
Bashopenssl dhparam -out ./bwdata/letsencrypt/live/<your.domain.com>/dhparam.pem 2048 ./bitwarden.sh rebuild ./bitwarden.sh start
PowerShell
tip
You will need to install a build of OpenSSL for Windows.
Bash