Traefik and LetsEncrypt without Internet for Local Vaultwarden Application?

Hello community, I want to run Vaultwarden purely locally.

The "website" is accessible at vault.domain.local that's not my problem. My problem is that this password safe requires SSL or HTTPS to work.

Hence my question, how could you solve the fact that I get an SSL certificate via Traefik without putting the "application" on the Internet?

I could also use if necessary, but how would it be possible to get this LetsEncrypt certificate without the Internet?

Hope you know and understand what I mean and can help me to solve this.

Hello @csaeum,

You can generate local certificates (e.g. using mkcerts) and tell Traefik to use those certs like so: Traefik TLS Documentation - Traefik

Hope it helps :smiley:

Okay thanks, but don't I have the problem of the self-created certificates and the error message then being displayed in the browser?

You can use the DNS01 Challenge to get the certificate from LE. Your Traefik instance needs internet access, but there is no need of a route from the internet to your application.

Yes, with self-signed certs you'd get annoying error messages. We get valid TLS certificates for our development environments by using the DNS01 challenge. The Traefik container that acts as reverse-proxy in front of our PHP containers isn't reachable from the internet, but it can connect to the internet.

The domain for which we're trying to get certs is hosted at Google Cloud DNS so we provided GCP service-account credentials to the Traefik container and it uses those to create a DNS-record, asks Let's Encrypt to validate it, downloads the cert and deletes the DNS-record. The process only takes a few seconds. Because it's a valid cert you don't get any errors. So the development host is never publicly reachable. You could use any other DNS-provider that Traefik supports of course. It works very well for us.

Unfortunately I can't do a DNS challenge because our domain provider doesn't allow changing the DNS entries via API.

An alternative I'm considering would be:

I make the environment from Docker and on a VServer directly to the network and block all IPs except from Germany.

In addition then an AUTH from Traefik unless it comes from our location with a fixed IP!

What do you all mean?