diff --git a/Running-a-private-bitwarden_rs-instance-with-Let's-Encrypt-certs.md b/Running-a-private-bitwarden_rs-instance-with-Let's-Encrypt-certs.md index 070e140..8df245e 100644 --- a/Running-a-private-bitwarden_rs-instance-with-Let's-Encrypt-certs.md +++ b/Running-a-private-bitwarden_rs-instance-with-Let's-Encrypt-certs.md @@ -109,6 +109,25 @@ export WEBSOCKET_ENABLED=true You should now be able to reach your bitwarden_rs instance at https://bwrs.example.com. +## Getting certs using the `lego` CLI + +In the DuckDNS example above, Caddy used the [`lego`](https://github.com/go-acme/lego) library to get certs via DNS challenge. +`lego` also has a CLI that you can use to get certs directly, e.g. if you want to a reverse proxy other than Caddy. + +Here's an example of how to do this: + +1. Download a pre-built `lego` binary for your system from https://github.com/go-acme/lego. Extract the contents to some directory, say, `/usr/local/lego`. +2. From that directory, run `DUCKDNS_TOKEN= ./lego -a --dns duckdns -d my-bwrs.duckdns.org -m me@example.com run`, + substituting appropriate values for the token, domain, and email address. This registers you with Let's Encrypt and + fetches a certificate for your domain. +3. Set up a weekly cron job to run `DUCKDNS_TOKEN= ./lego --dns duckdns -d my-bwrs.duckdns.org -m me@example.com renew`. + This renews your certificate as it nears expiration. + +In this example, the generated outputs you need to configure your reverse proxy with are: + +* `/usr/local/lego/.lego/certificates/my-bwrs.duckdns.org.crt` (certificate) +* `/usr/local/lego/.lego/certificates/my-bwrs.duckdns.org.key` (private key) + ## References ### DNS Challenge