trust anchor for certification path not found #1777

New Issue

Closed

opened 2026-02-05 01:47:08 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-05 01:47:08 +03:00

Owner

Copy Link

Originally created by @hughware on GitHub (Nov 28, 2023).

Subject of the issue

android: trust anchor for certification path not found

Deployment environment

• vaultwarden version: latest

• Install method: docker image

• Clients used:Android

• Reverse proxy and version:nginx

• MySQL/MariaDB or PostgreSQL version:default

• Other relevant details:

Steps to reproduce

• docker-compose

name: vaultwarden
services:
    server:
        container_name: vaultwarden
        volumes:
            - ./data/:/data/
        restart: unless-stopped
        environment:
            - ADMIN_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxx
        ports:
            - 55555:80
        image: vaultwarden/server:latest

docker-compose -f vaultwarden.yml up -d

• nginx-crt
  san.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = State
L = City
O = Organization
CN = CN

[req_ext]
subjectAltName = @alt_names

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com

openssl ecparam -genkey -name prime256v1 -noout -out ec.key
openssl req -x509 -nodes -key my.key -out ec.crt -config san.cnf -days 365

• nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    proxy_cache_path /opt/cache levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off;
server {
    listen 55552 ssl http2; 
    server_name localhost;

    ssl_certificate /etc/nginx/ssl/ec.crt;
    ssl_certificate_key /etc/nginx/ssl/ec.key;

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    location / {
        proxy_pass http://127.0.0.1:55555;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;


        proxy_cache my_cache;
        proxy_cache_valid 200 302 60m;
        proxy_cache_valid 404 1m;

        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
    }
}

systemctl enable nginx --now

Expected behaviour

web -> https://ip:55552 OK
android -> https://ip:55552 OK

Actual behaviour

web -> https://ip:55552 OK It's slow to load
android -> https://ip:55552 Popup dialog 'trust anchor for certification path not found'

Troubleshooting data

Originally created by @hughware on GitHub (Nov 28, 2023). <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue android: trust anchor for certification path not found <!-- Describe your issue here. --> ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: latest <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: docker image * Clients used:Android <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> * Reverse proxy and version:nginx <!-- if applicable --> * MySQL/MariaDB or PostgreSQL version:default <!-- if applicable --> * Other relevant details: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> - docker-compose ```docker name: vaultwarden services: server: container_name: vaultwarden volumes: - ./data/:/data/ restart: unless-stopped environment: - ADMIN_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxx ports: - 55555:80 image: vaultwarden/server:latest ``` docker-compose -f vaultwarden.yml up -d - nginx-crt san.cnf ```bash [req] distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = State L = City O = Organization CN = CN [req_ext] subjectAltName = @alt_names [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = *.example.com ``` ```bash openssl ecparam -genkey -name prime256v1 -noout -out ec.key openssl req -x509 -nodes -key my.key -out ec.crt -config san.cnf -days 365 ``` - nginx.conf ```bash user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; proxy_cache_path /opt/cache levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off; server { listen 55552 ssl http2; server_name localhost; ssl_certificate /etc/nginx/ssl/ec.crt; ssl_certificate_key /etc/nginx/ssl/ec.key; if ($scheme != "https") { return 301 https://$host$request_uri; } add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { proxy_pass http://127.0.0.1:55555; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_cache my_cache; proxy_cache_valid 200 302 60m; proxy_cache_valid 404 1m; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; } } ``` systemctl enable nginx --now ### Expected behaviour <!-- Tell us what you expected to happen --> web -> https://ip:55552 OK android -> https://ip:55552 OK ### Actual behaviour <!-- Tell us what actually happened --> web -> https://ip:55552 OK It's slow to load android -> https://ip:55552 Popup dialog 'trust anchor for certification path not found' ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data -->

OVERLORD closed this issue 2026-02-05 01:47:12 +03:00

OVERLORD referenced this issue 2026-02-05 05:06:11 +03:00

[PR #1777] [MERGED] Multiple Admin Interface fixes and some others. #2976

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1777