Appearance
Fix Vaultwarden TLS Certificate (Self-Signed with SAN)
HOW-TO — run when
bwCLI reportsDEPTH_ZERO_SELF_SIGNED_CERTor browser login fails silently.
Vaultwarden location: CT103 (itachi-security, 192.168.1.250)
Cert files on CT103: /ssl/certs.pem (cert) · /ssl/key.pem (key)
1 — Regenerate cert on CT103 with SAN
bash
ssh hinata-z2 "pct exec 103 -- bash -c '
cp /ssl/certs.pem /ssl/certs.pem.bak
cp /ssl/key.pem /ssl/key.pem.bak
openssl req -x509 -newkey rsa:4096 \
-keyout /ssl/key.pem -out /ssl/certs.pem \
-days 3650 -nodes \
-subj \"/CN=192.168.1.250\" \
-addext \"subjectAltName=IP:192.168.1.250,IP:127.0.0.1,DNS:itachi-security\"
echo done
'"2 — Restart Vaultwarden
bash
ssh hinata-z2 "pct exec 103 -- docker restart vaultwarden"
# Verify
ssh hinata-z2 "curl -sk https://192.168.1.250/api/alive"3 — Trust cert on Z2 host
bash
ssh hinata-z2 "
openssl s_client -connect 192.168.1.250:443 </dev/null 2>/dev/null \
| openssl x509 > /usr/local/share/ca-certificates/vaultwarden.crt
update-ca-certificates
"4 — Trust cert on Mac (System keychain)
bash
# Get cert from Z2
scp hinata-z2:/usr/local/share/ca-certificates/vaultwarden.crt /tmp/vaultwarden.crt
# Add to System keychain (prompts for sudo password)
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain /tmp/vaultwarden.crtSafari and Chrome pick up the System keychain. Firefox requires a separate import via about:preferences#privacy → Certificates → View Certificates → Import.
5 — Trust cert inside CT103 (for bw CLI running on CT103)
bash
ssh hinata-z2 "pct exec 103 -- bash -c '
cp /ssl/certs.pem /usr/local/share/ca-certificates/vaultwarden-local.crt
update-ca-certificates
bw config server https://127.0.0.1
'"6 — Verify bw CLI on Z2
bash
ssh hinata-z2 "bw status"
# Expected: {"status": "locked", ...} — no TLS error7 — Re-unlock bw and cache session
bash
ssh -t hinata-z2 "bw unlock --raw > /root/.bw_session && chmod 600 /root/.bw_session && echo cached"Cross-links: reference_approved-ip-addresses · reference_itachi-credential-store