starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-11 09:13:02 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

iOS and iPadOS clients fail to display icons, whereas MacOS, browser and web display icons #1182

New Issue
Closed
opened 2025-10-09 17:06:58 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-09 17:06:58 +03:00
Owner
Copy Link

Originally created by @realk1ko on GitHub.

Subject of the issue

I recently setup a Vaultwarden instance reverse-proxied by nginx using a custom CA-signed SSL certificate. The custom CA used for signing is imported on all systems as a trusted root (I've used https://smallstep.com for this).

Deployment environment

  • vaultwarden version: 1.24.0
  • Install method: Docker image
  • Clients used: iOS/iPadOS, MacOS, Browser extensions on Safari and Edge
  • Reverse proxy and version: nginx 1.20.2
  • MySQL/MariaDB or PostgreSQL version: -
  • Other relevant details:
    • Container is running via podman as non-root
    • I can paste the CA root certificate details here if required for debugging (expiry, signature algorithm, etc.)
    • What definitely is important to note here is that none of the certificates violate the new restrictions Apple/Google have implemented for SSL certificates (at least as far as I know). This means that the Vaultwarden certificate has an expiry less than 397 days. (https://support.globalsign.com/ssl/general-ssl/397-day-maximum-tls-certificate-validity)
    • The root and intermediate certificates have an expiry of 10 years.

Steps to reproduce

  1. Setup container
podman create --name vaultwarden \
  -p 8080:8080 \
  -v /path/to/persistent/storage:/data:Z \
  -e ROCKET_PORT=8080 \
  docker.io/vaultwarden/server:latest
  1. Setup nginx reverse proxy with a custom CA and certificate
server {

    server_name vaultwarden.home;

    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /etc/nginx/ssl/vaultwarden.crt;
    ssl_certificate_key /etc/nginx/ssl/vaultwarden.key;
    ssl_dhparam /etc/nginx/ssl/vaultwarden.dhparam.pem;

    ssl_session_cache shared:SSL:10M;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers on;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=15768000" always;

    location / {

        proxy_pass http://localhost:8080/;

        proxy_http_version 1.1;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }

}
  1. Setup custom CA as trusted root on iOS/iPadOS (https://support.apple.com/en-us/HT204477)
  2. Connect iOS/iPadOS app to the newly setup vault

Expected behaviour

Icons should be displayed for logins, cards, etc.

Actual behaviour

Icons are not displayed, but only on mobile apps

Troubleshooting data

  • Accessing the endpoint for the icons via the browser works perfectly fine (e. g. https://vaultwarden.home/icons/github.com/icon.png)
  • Desktop apps and browser extensions do not seem to have any problems
  • I suspect that this is due to the fact that the iOS/iPadOS apps do not use the system's CA trust store
Originally created by @realk1ko on GitHub. ### Subject of the issue I recently setup a Vaultwarden instance reverse-proxied by nginx using a custom CA-signed SSL certificate. The custom CA used for signing is imported on all systems as a trusted root (I've used https://smallstep.com for this). ### Deployment environment - vaultwarden version: 1.24.0 - Install method: Docker image - Clients used: iOS/iPadOS, MacOS, Browser extensions on Safari and Edge - Reverse proxy and version: nginx 1.20.2 - MySQL/MariaDB or PostgreSQL version: - - Other relevant details: - Container is running via podman as non-root - I can paste the CA root certificate details here if required for debugging (expiry, signature algorithm, etc.) - What definitely is important to note here is that none of the certificates violate the new restrictions Apple/Google have implemented for SSL certificates (at least as far as I know). This means that the Vaultwarden certificate has an expiry less than 397 days. (https://support.globalsign.com/ssl/general-ssl/397-day-maximum-tls-certificate-validity) - The root and intermediate certificates have an expiry of 10 years. ### Steps to reproduce 1. Setup container ```sh podman create --name vaultwarden \ -p 8080:8080 \ -v /path/to/persistent/storage:/data:Z \ -e ROCKET_PORT=8080 \ docker.io/vaultwarden/server:latest ``` 2. Setup nginx reverse proxy with a custom CA and certificate ```conf server { server_name vaultwarden.home; listen 443 ssl; listen [::]:443 ssl; ssl_certificate /etc/nginx/ssl/vaultwarden.crt; ssl_certificate_key /etc/nginx/ssl/vaultwarden.key; ssl_dhparam /etc/nginx/ssl/vaultwarden.dhparam.pem; ssl_session_cache shared:SSL:10M; ssl_session_timeout 1d; ssl_session_tickets off; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=15768000" always; location / { proxy_pass http://localhost:8080/; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } ``` 3. Setup custom CA as trusted root on iOS/iPadOS (https://support.apple.com/en-us/HT204477) 4. Connect iOS/iPadOS app to the newly setup vault ### Expected behaviour Icons should be displayed for logins, cards, etc. ### Actual behaviour Icons are not displayed, but only on mobile apps ### Troubleshooting data * Accessing the endpoint for the icons via the browser works perfectly fine (e. g. https://vaultwarden.home/icons/github.com/icon.png) * Desktop apps and browser extensions do not seem to have any problems * I suspect that this is due to the fact that the iOS/iPadOS apps do not use the system's CA trust store
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1182
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?