https vaultwarden w/o self-signed certs & port forwarding?

Fellow DietPi enthusiasts,

I have long searched for a newbie-friendly solution, but, alas, I failed miserably…
Thus, I have come here to humbly seek your help in my quest to achieve this:


  • Running vaultwarden on HTTPS with a cert from letsencrypt (no more annoying warnings!)
  • No (additional) port forwarding for a reverse proxy solution (as I am no tech guru, I prefer to keep my attack surface minimal)

Current state

  • RPi4 @ DietPi 7.2.3
  • The default lighttpd web server
  • A working DDNS that resolves to my IP address (via own domain at OVH with ddclient update script)
  • A working vaultwarden installation (from dietpi-software with the default self-signed certificate)
  • A working wireguard installation (from dietpi-software with its port forwarding from the scary internet)
  • A slightly desperate, but still optimistic fellow (:

Research progress

My questions to you

  • Is there a way to achieve the above mentioned goals with dietpi-letsencrypt?
    — If yes, what did I miss to not require additional port forwarding?
    — If no, does any of the above mentioned guides work (providing one understands them & knows how to execute the instructions…)?
    — If no, can you provide me with a hint / direction / guide on where to look for additional help and guidance?

Thank you for all your help and have a wonderful day!


basically DietPi is using certbot to be able to generate SSL certificates. And this require port 80 open to validate your DDNS (DietPi did not use DNS challenge).'re%20using%20any,so%20temporarily%20during%20certificate%20validation.

Best solution might be using Nginx as revers proxy to forward the HTTPS port to your vaultwarden instance. This way you have 2 port open only. There are a couple of configuration example on the vaultvarden wiki

But you already have lighttpd running. Are there any web services already running on?

Hi Joulinar and thanks for your message!

I understand that dietpi-letsencrypt is using certbot and that the configuration does require port forwarding.

Using a reserve proxy seems possible, I am just wondering if I need to take additional precautions before forwarding ports and/or setting up a reverse proxy? Never set one up before.

Is there really no way around this? When I am not in my local network, I connect via VPN to access my services. Seems like an unneccesary risk to setup everything with reverse proxy / port forwarding to just get Bitwarden clients to not complain about certifications. : /

I guess I have lighttpd running, because it is installed by default? Here are the services from dietpi-services that I have currently running:

│            redis-server : active | Affinity 0-3                              │
│            mariadb      : active | Affinity 0-3                              │
│            php7.3-fpm   : active | Affinity 0-3                              │
│            lighttpd     : active | Affinity 0-3                              │
│            jellyfin     : active | Affinity 0-3                              │
│            firefox-sync : active | Affinity 0-3                              │
│            vaultwarden  : active | Affinity 0-3                              │
│            netdata      : active | Affinity 0-3                              │
│            cron         : active | Affinity 0-3                              │
│            dropbear     : active | Affinity 0-3                              │
│            fail2ban     : active | Affinity 0-3                              │
│            pihole-FTL   : active | Affinity 0-3                              │
│            unbound      : active | Affinity 0-3                              │
│            dietpi-vpn   : inactive | Affinity 0-3                            │
│            ddclient     : active | Affinity 0-3                              │

before we are looking into further configuration, you may share your aim. What do you like to achieve? I guess you like to access vaultwarden from extern? Other apps as well, or vaultwarden only?

Good point, my goal is simply put:
Being able to use the official Bitwarden clients on Firefox / Android / … from within my local network.

Currently, I always get certification warnings. Within Firefox, I can simply accept them, but the Android Bitwarden App can’t be used at all - I have to use the web browser, which is very cumbersome.

I guess(?) that I could copy the self-signed certificate from the Pi onto all of my devices. However, that doesn’t appear to be a lasting solution and I don’t know what other implications that may have. Thus, from my original post, I was trying to find alternative solutions to this problem.

There is no need for me to access services from outside, as I always connect via VPN to my home network. Jellyfin, Pihole and my other (probably HTTP only?) services all work like a charm via VPN.

Thank you for your help and have a great day!

hmm if you don’t need external access, it might be best to stay with your self signed certificates to avoid to open ports to the internet. Usually you should be able to download the self signed certificate from vaultwarden and upload it into your devices. This should remove the warning message. How to download, we described on our online docs on the First access section. For Windows and MacOS we as well described how to upload the certificate. For iOS there are some guides on the web. Android should work similar. At least on our test we where able to get the native Bitwarden clients able to connect.

Hi Joulinar and thank you for the recommendation.

I registered my self-signed certificate and the Android Bitwarden app now works like a charm.

Hopefully a not only easy, but also secure & lasting solution.

Thanks again and have a great day!

ok perfect :sunglasses: