Home Assistant Community Add-on: Bitwarden RS

Tags: #<Tag:0x00007f7385e53d28> #<Tag:0x00007f7385e53c60>

And when you haven’t stored the admin key safely? (I know stupid, but that is not the point now :wink: )

Or is reinstallation the only way?

edit: Found it somewhere in a snapshot.

Hey there,

I finally managed to set up SSL for my bitwarden add-on using a self-signed certificate.

It was kind of cumbersome because most tutorials about this result in certificates that are neither accepted by current Chrome versions (without warnings anyway) nor the bitwarden Android app.

After several attempts using various openssl commands and verifying with chrome it turned out that a root CA and a signed service certificate was not enough to eliminate Chrome’s warnings. For example, the use of subject alternative names (SAN) in addition to the common name (CN) is mandatory otherwise a further warning will be shown. Specifying these X509 extensions in the command line / config files would work but by the time I was at that point I had enough of trial and error.

I finally wound up using YAOG (Yet Another Openssl GUI). The developer has a good walkthrough here: https://github.com/patrickpr/YAOG/blob/master/docs/10-full-example-1.md
WIth minor adaptions it worked for my purpose as described.

After creating Root CA and a signed service certificate it needs some postprocessing (which I did on my linux box):

  1. Append public key of Root CA to public key of service certificate

    cat RootCA.pem >> bitwarden-pub.pem

  2. copy service certificate to hassio ssl folder:
    sudo cp bitwarden-pub.pem /usr/share/hassio/ssl/bitwarden-fullchain.pem
    sudo cp bitwarden-key.pem /usr/share/hassio/ssl/bitwarden-privkey.pem

  3. Change bitwarden addon config to these new file:

{
  "ssl": true,
  "certfile": "bitwarden-fullchain.pem",
  "keyfile": "bitwarden-privkey.pem",
  "log_level": "info"
}

In order for Chrome to accept the certificate:
Import the root ca certificate (pem) into Windows certificate store as trusted root certificate.

In order for the Bitwarden Android App to accept the certificate import the root ca certificate in Androids trusted credentials store. For that to work, the certificate has to be converted first:

openssl x509 -inform PEM -outform DER -in RootCA.pem -out RootCA.der.crt

The RootCA.der.crt can be put in the root of the SD card and then imported.

Hope this helps
Jochen

3 Likes

:tada: Release v0.2.0

Full Changelog

This release is a generic update release.

:hammer: Changes

  • :arrow_up: Upgrades add-on base image to v3.1.3
  • :pencil2: Maintaince -> Maintenance
  • :sparkles: Adds FUNDING.yml

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

Thanks, seems awesome ! May be a good alternative to dashlane and keepass.
Two One questions :

  • Is it unsecure to expose it on the web ?
    * How to configure the mail sending ? The invitations that I send doesn’t appear in mail box… There is a log to see if the mail sending failed ? (I haven’t activated ssl, I know it’s bad, but it’s just for quick test. May be it’s a problem for mail sending?)

Edit : I found the /admin interface with smtp settings :sweat_smile:

Thanks.

I’m getting this error when I log in locally. I created my account on the BitWarden website, and I have ssl set to false.

I dd some searching and didn’t see anyone else having this issue. Anyone have any ideas?

image

That’s a known limitation when running non-SSL, it’s described on the Github page:

1 Like

Well, I totally missed it. Woops, and thanks for pointing it out!

:tada: Release v0.2.1

Full Changelog

This release is a generic update release.

:hammer: Changes

  • :arrow_up: Upgrades add-on base image to v3.1.4

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

@jo-me cloud you please explain what minor adaptions you did? I’m interessted in doing the same thing you did but I can’t get it to work.
Thanks in advance

I generally followed the guide from the YAOG tool linked above but used slightly different settings

RootCA settings:

  • CN “HomeServer ROOT”
  • sha256 digest
  • for key: 2048 rsa with aes256 passphrase
  • do not add email address
  • basicConstraints: CA:TRUE

For the service certificates (e.g. for bitwarden) i changed/added the following settings:

  • do not add email address
  • with key rsa 2048 bit but without password
  • basicConstraints: CA:FALSE
  • authorityKeyIdentifier: keyid:HomeServer ROOT
  • subjectAltName: URI:https://serverhostname,IP:192.168.xxx.yy,DNS:serverhostname

:tada: Release v0.2.2

Full Changelog

This release is a generic update release.

:hammer: Changes

  • :arrow_up: Upgrades add-on base image to v3.2.0

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

:tada: Release v0.3.0

Full Changelog

This release is a generic update release.

:hammer: Changes

  • :arrow_up: Upgrades Bitwarden RS to 1.10.0 (#6)

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

Is there a way to backup all pw information from all users using my bitwarden instance? so i can move to another instance?

:tada: Release v0.3.1.

Full Changelog

This release is a generic update release.

:hammer: Changes

  • :fire: Removes unneeded access to config folder
  • :arrow_up: Upgrades add-on base image to v4.0.0

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

1 Like

@Chandler_K_Sharp My understanding is that with Bitwarden, all you need to do is migrate the ./bwdata directory.

https://help.bitwarden.com/article/backup-on-premise/

I read that as well but i didnt have any luck finding that directory on my linux machine running hassio.
the best i could find was /usr/share/hassio/addon/data/bitwarden but i didnt know if that was correct. or where i could find the others in linux?

@Chandler_K_Sharp You’re right, i can’t seem to locate that directory either. We might need some input from @frenck on this one.

So according to this the files in that location seem to correspond. I even have the sql database file. I wonder if i could use the sqllite add on or something and successfully back it up that way

:tada: Release v0.3.2

Full Changelog

This release is a generic update release.

:hammer: Changes

  • :arrow_up: Upgrades Bitwarden RS to 1.11.0 (#8)

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

I just had a look at it, last available version (0.3.2) - I cant seem to override the admin token - so that creates a new token every time it starts.

I imported some 1password.pif and it seems chrome doesnt like it - I have around 3500 passwords in the pif the web shows all created folders empty via accessing the web vault - I changes the request size to 30MB no change.

the iOS app and Safari however show the imported/moved passwords fine …

What are the options to debug the above issues?

I use the duckdns/letsencrypt addone and SSL works by using the local dns.

also how do I completely remove it - seems ditching the container isnt sufficient - it seems some additional information is retained somewhere