starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

TOTP Token invalid since today #1142

New Issue
Closed
opened 2026-02-05 00:06:39 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2026-02-05 00:06:39 +03:00
Owner
Copy Link

Originally created by @nicedevil007 on GitHub (Oct 25, 2021).

Subject of the issue

I was using vaultwarden over the last months or even years now (Bitwarden_RS before). I had enabled TOTP Tokens with Authy.
My token was all day long legit since today. It tells me that the token is wrong. The time shown in the error box is 2 hours off to my local time. I checked the time on my router, it is the right one, I checked the time on my PC, it is the right one, I checked the time of my vaultwarden docker container, it is the right, and yes you are right, the same for the host and nginxproxymanager.
Then I checked the admin page of my vaultwarden, and here we go => there is a red mark on the time. How can we fix it?

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.22.2-f94ac6ca
  • Web-vault version: v2.23.0c
  • Running within Docker: true (Base: Debian)
  • Environment settings overridden: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: false
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.35.4
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, INVITATION_ORG_NAME, SMTP_HOST, SMTP_SSL, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://********.*****.**",
  "domain_origin": "*****://********.*****.**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 5 * * * *",
  "emergency_request_timeout_schedule": "0 5 * * * *",
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "SkyNet Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "warn",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "***********@********.**",
  "smtp_from_name": "SkyNet Vaultwarden",
  "smtp_host": "****.*****.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "****.******@*****.***",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

I guess I was clear enough? :)

Expected behaviour

TOTP Token will work again

Actual behaviour

TOTP Token with Authy or Google Authenticator isn't working.

Troubleshooting data

image

Originally created by @nicedevil007 on GitHub (Oct 25, 2021). <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue I was using vaultwarden over the last months or even years now (Bitwarden_RS before). I had enabled TOTP Tokens with Authy. My token was all day long legit since today. It tells me that the token is wrong. The time shown in the error box is 2 hours off to my local time. I checked the time on my router, it is the right one, I checked the time on my PC, it is the right one, I checked the time of my vaultwarden docker container, it is the right, and yes you are right, the same for the host and nginxproxymanager. Then I checked the admin page of my vaultwarden, and here we go => there is a red mark on the time. How can we fix it? ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.22.2-f94ac6ca * Web-vault version: v2.23.0c * Running within Docker: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: false * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, INVITATION_ORG_NAME, SMTP_HOST, SMTP_SSL, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://********.*****.**", "domain_origin": "*****://********.*****.**", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 5 * * * *", "emergency_request_timeout_schedule": "0 5 * * * *", "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "SkyNet Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/bitwarden.log", "log_level": "warn", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "***********@********.**", "smtp_from_name": "SkyNet Vaultwarden", "smtp_host": "****.*****.***", "smtp_password": "***", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "****.******@*****.***", "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Steps to reproduce I guess I was clear enough? :) ### Expected behaviour TOTP Token will work again ### Actual behaviour TOTP Token with Authy or Google Authenticator isn't working. ### Troubleshooting data ![image](https://user-images.githubusercontent.com/17103076/138747634-19dd0633-6e2d-46f1-bf62-14692da4ead9.png)
OVERLORD commented 2026-02-05 00:06:49 +03:00
Author
Owner
Copy Link

@cksapp commented on GitHub (Oct 25, 2021):

The time shown in the error box is 2 hours off to my local time.

The 2 hour difference is because this is shown in UTC time. So you would locally be anywhere within these timezones

I would check the NTP on your server, as well as your browser. Might suggest opening up from a cell phone or another device off of wifi and over mobile data instead to see if you experience the same issues.

@cksapp commented on GitHub (Oct 25, 2021): > The time shown in the error box is 2 hours off to my local time. The 2 hour difference is because this is shown in UTC time. So you would locally be anywhere within [these timezones](https://en.wikipedia.org/wiki/UTC%2B02:00) I would check the NTP on your server, as well as your browser. Might suggest opening up from a cell phone or another device off of wifi and over mobile data instead to see if you experience the same issues.
OVERLORD commented 2026-02-05 00:06:56 +03:00
Author
Owner
Copy Link

@nicedevil007 commented on GitHub (Oct 25, 2021):

it is not the 2 hour difference that is the problem, it is the ca. 1 min difference between browser/server on UTC

@nicedevil007 commented on GitHub (Oct 25, 2021): it is not the 2 hour difference that is the problem, it is the ca. 1 min difference between browser/server on UTC
OVERLORD commented 2026-02-05 00:07:02 +03:00
Author
Owner
Copy Link

@cksapp commented on GitHub (Oct 25, 2021):

Correct, sorry if I wasn't clear about that there.
I recommend checking the NTP settings of your server and the web browser. As you've mentioned you have already checked the docker container and the reverse proxy for the correct time, I might suggest starting at looking on the browser and checking another browser from another device if possible.

Perhaps provide details on the web browser you are using as the client to access the web build.

This would also perhaps best be a topic for our forum.

@cksapp commented on GitHub (Oct 25, 2021): Correct, sorry if I wasn't clear about that there. I recommend checking the NTP settings of your server and the web browser. As you've mentioned you have already checked the docker container and the reverse proxy for the correct time, I might suggest starting at looking on the browser and checking another browser from another device if possible. Perhaps provide details on the web browser you are using as the client to access the web build. This would also perhaps best be a topic for our [forum](https://vaultwarden.discourse.group).
OVERLORD commented 2026-02-05 00:07:05 +03:00
Author
Owner
Copy Link

@nicedevil007 commented on GitHub (Oct 25, 2021):

I'm using brave and tryed with MS edge and firefox as well. And also on 2 different device...

image

Maybe the battery of my client is low o_O? That screen is directly from the host

@nicedevil007 commented on GitHub (Oct 25, 2021): I'm using brave and tryed with MS edge and firefox as well. And also on 2 different device... ![image](https://user-images.githubusercontent.com/17103076/138750494-a0dee798-6e89-45ec-90c4-c3efa7c75d4e.png) Maybe the battery of my client is low o_O? That screen is directly from the host
OVERLORD commented 2026-02-05 00:07:08 +03:00
Author
Owner
Copy Link

@nicedevil007 commented on GitHub (Oct 25, 2021):

Ok fixed it....
image

first timedatectl set-local-rtc 1 --adjust-system-clock then timedatectl set-local-rtc 0 --adjust-system-clock then

sudo systemctl daemon-reload
sudo timedatectl set-ntp off
sudo timedatectl set-ntp on

then the output of timedatectl was:

root@DietPi:~# timedatectl
               Local time: Mon 2021-10-25 20:34:32 CEST
           Universal time: Mon 2021-10-25 18:34:32 UTC
                 RTC time: Mon 2021-10-25 18:34:32
                Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

a restart of the docker container afterwards forced it to sync time now instead of waiting for next sync :)

@nicedevil007 commented on GitHub (Oct 25, 2021): Ok fixed it.... ![image](https://user-images.githubusercontent.com/17103076/138751081-efa39d01-c71a-4f08-a0ae-00660000c103.png) first ```timedatectl set-local-rtc 1 --adjust-system-clock``` then ```timedatectl set-local-rtc 0 --adjust-system-clock``` then ``` sudo systemctl daemon-reload sudo timedatectl set-ntp off sudo timedatectl set-ntp on ``` then the output of `timedatectl` was: ``` root@DietPi:~# timedatectl Local time: Mon 2021-10-25 20:34:32 CEST Universal time: Mon 2021-10-25 18:34:32 UTC RTC time: Mon 2021-10-25 18:34:32 Time zone: Europe/Berlin (CEST, +0200) System clock synchronized: yes NTP service: active RTC in local TZ: no ``` a restart of the docker container afterwards forced it to sync time now instead of waiting for next sync :)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1142
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?