Hinata Wiki

Appearance

Authenticate bw CLI inside CT103

HOW-TO -- run when a script inside CT103 needs direct bw CLI access (T212 credential injection, Cloudflare token piping, etc.) and the session is missing or expired.

Container: CT103 (itachi-security, LAN 192.168.1.250) Vaultwarden: Docker container inside CT103, HTTPS on port 443, self-signed cert with SAN Account: michael.asolo1@gmail.com

Prerequisites

  • SSH access to Z2 host (ssh hinata-z2)
  • bw CLI installed inside CT103 -- verify:
bash
ssh hinata-z2 "pct exec 103 -- bw --version"

If missing, install:

bash
ssh hinata-z2 "pct exec 103 -- bash -c '
apt-get update && apt-get install -y unzip curl
curl -Lo /tmp/bw.zip \"https://vault.bitwarden.com/download/?app=cli&platform=linux\"
unzip -o /tmp/bw.zip -d /usr/local/bin/
chmod +x /usr/local/bin/bw
rm /tmp/bw.zip
'"
  • NODE_EXTRA_CA_CERTS must point to the Vaultwarden self-signed cert. bw is a Node.js app — it ignores the system CA store (/etc/ssl/certs/). Without this, every bw command fails with DEPTH_ZERO_SELF_SIGNED_CERT. Persist in /root/.bashrc:
bash
ssh hinata-z2 "pct exec 103 -- bash -c \"grep -q NODE_EXTRA_CA_CERTS /root/.bashrc || echo 'export NODE_EXTRA_CA_CERTS=/ssl/certs.pem' >> /root/.bashrc\""

1 -- Configure server URL

From inside CT103, Vaultwarden is at https://127.0.0.1:

bash
ssh hinata-z2 "pct exec 103 -- bw config server https://127.0.0.1"

Verify:

bash
ssh hinata-z2 "pct exec 103 -- bw status"

Expected: "serverUrl": "https://127.0.0.1" in output. Status will be "unauthenticated" on first run.

2 -- Login

Interactive login -- requires master password entry:

bash
ssh -t hinata-z2 "pct enter 103"
# inside CT103:
export NODE_EXTRA_CA_CERTS=/ssl/certs.pem
bw login michael.asolo1@gmail.com

On success, bw prints a BW_SESSION token. Copy it for the next step, or proceed directly to unlock.

pct enter is required -- pct exec cannot handle interactive TTY prompts. NODE_EXTRA_CA_CERTS is needed if .bashrc hasn't been sourced yet (fresh pct enter sessions don't source it). Exit after login.

3 -- Unlock and export session

Unlock the vault to get a usable session token:

bash
ssh -t hinata-z2 "pct enter 103"
# inside CT103:
export BW_SESSION=$(bw unlock --raw)

Cache the session for non-interactive use by scripts:

bash
bw unlock --raw > /root/.bw_session
chmod 600 /root/.bw_session

Scripts can then source it:

bash
export BW_SESSION=$(cat /root/.bw_session)

4 -- Verify

bash
# Sync vault data
bw sync

# Confirm item access
bw list items --search test | head -c 200

# Targeted read (example)
bw get notes anthropic-api-key --session $(cat /root/.bw_session) | head -c 10

All three should succeed without TLS or authentication errors.

Session persistence

BW_SESSION is ephemeral:

  • Expires on idle timeout (Vaultwarden default: ~15 min without activity)
  • Does not survive container restart (pct reboot 103)
  • Does not survive Vaultwarden Docker restart (docker restart vaultwarden)

After any of these events, re-run step 3 (unlock). Login (step 2) persists across unlocks -- you only need to re-login if the credential store is wiped or the server URL changes.

For scripts that run on a schedule, prefix with an unlock guard:

bash
export BW_SESSION=$(bw unlock --raw 2>/dev/null) || {
    echo "bw unlock failed -- manual intervention required" >&2
    exit 1
}

If unlock fails, the script exits loud -- no silent credential fallback.

Troubleshooting

SymptomFix
DEPTH_ZERO_SELF_SIGNED_CERTNODE_EXTRA_CA_CERTS not set -- export NODE_EXTRA_CA_CERTS=/ssl/certs.pem (persist in /root/.bashrc)
Not logged in after unlockLogin expired or never completed -- re-run step 2
bw: command not foundCLI not installed -- run prerequisites
connect ECONNREFUSED 127.0.0.1:443Vaultwarden Docker not running: docker ps then docker start vaultwarden

Cross-links: how-to_fix-vaultwarden-tls-cert -- reference_itachi-credential-store -- credential-model