starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-10 17:23:04 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

OnlyKey U2F does not work #1841

New Issue
Closed
opened 2025-10-09 17:32:31 +03:00 by OVERLORD · 3 comments
OVERLORD commented 2025-10-09 17:32:31 +03:00
Owner
Copy Link

Originally created by @alien2003 on GitHub.

bitwarden_rs with nginx proxy, let's encrypt certificate does not work with OnlyKey.io U2F.

Bitwarden started with command:

docker run -d --name bitwarden \
-e SIGNUPS_ALLOWED=false \
-e WEBSOCKET_ENABLED=true \
-e DOMAIN=https://bw.darkn.space \
-v /opt/bitwarden-rs/:/data/ \
bitwardenrs/server:latest

Nginx config:

server {
  listen 443 ssl http2;
  server_name bw.darkn.space;

  # Specify SSL config if using a shared one.
  #include conf.d/ssl/ssl.conf;

  # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
  ssl_certificate /root/dehydrated/certs/bw.darkn.space/fullchain.pem;
  #/etc/letsencrypt/live/darkn.space/fullchain.pem;
  ssl_certificate_key /root/dehydrated/certs/bw.darkn.space/privkey.pem;
  #/etc/letsencrypt/live/darkn.space/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # intermediate configuration. tweak to your needs.
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  ssl_prefer_server_ciphers on;

  # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  add_header Strict-Transport-Security max-age=15768000;

  # OCSP Stapling ---
  # fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;

  ## verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /root/dehydrated/certs/bw.darkn.space/chain.pem;

  #resolver <IP DNS resolver>;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://172.17.0.3:80;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://172.17.0.3:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://172.17.0.3:80;
  }

  # Optionally add extra authentication besides the AUTH_TOKEN
  # If you don't want this, leave this part out
  location /admin {
    # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #auth_basic "Private";
    #auth_basic_user_file /path/to/htpasswd_file;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://172.17.0.3:80;
  }

}

Bitwarden_rs logs:

[2020-01-18 16:17:13][request][INFO] PUT /api/two-factor/u2f
[2020-01-18 16:17:13][error][ERROR] U2fError.
[CAUSE] BadCertificate
[2020-01-18 16:17:13][response][INFO] PUT /api/two-factor/u2f (activate_u2f_put) => 400 Bad Request
Originally created by @alien2003 on GitHub. bitwarden_rs with nginx proxy, let's encrypt certificate does not work with OnlyKey.io U2F. Bitwarden started with command: ``` docker run -d --name bitwarden \ -e SIGNUPS_ALLOWED=false \ -e WEBSOCKET_ENABLED=true \ -e DOMAIN=https://bw.darkn.space \ -v /opt/bitwarden-rs/:/data/ \ bitwardenrs/server:latest ``` Nginx config: ``` server { listen 443 ssl http2; server_name bw.darkn.space; # Specify SSL config if using a shared one. #include conf.d/ssl/ssl.conf; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /root/dehydrated/certs/bw.darkn.space/fullchain.pem; #/etc/letsencrypt/live/darkn.space/fullchain.pem; ssl_certificate_key /root/dehydrated/certs/bw.darkn.space/privkey.pem; #/etc/letsencrypt/live/darkn.space/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/ssl/certs/dhparam.pem; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /root/dehydrated/certs/bw.darkn.space/chain.pem; #resolver <IP DNS resolver>; # Allow large attachments client_max_body_size 128M; location / { proxy_pass http://172.17.0.3:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /notifications/hub { proxy_pass http://172.17.0.3:3012; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /notifications/hub/negotiate { proxy_pass http://172.17.0.3:80; } # Optionally add extra authentication besides the AUTH_TOKEN # If you don't want this, leave this part out location /admin { # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ #auth_basic "Private"; #auth_basic_user_file /path/to/htpasswd_file; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://172.17.0.3:80; } } ``` Bitwarden_rs logs: ``` [2020-01-18 16:17:13][request][INFO] PUT /api/two-factor/u2f [2020-01-18 16:17:13][error][ERROR] U2fError. [CAUSE] BadCertificate [2020-01-18 16:17:13][response][INFO] PUT /api/two-factor/u2f (activate_u2f_put) => 400 Bad Request ```
OVERLORD commented 2025-10-09 17:32:34 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub:

Closing this ticket because of inactivity.
Feel free to re-open if the issue isn't resolved using the testing/master version.

@BlackDex commented on GitHub: Closing this ticket because of inactivity. Feel free to re-open if the issue isn't resolved using the `testing`/`master` version.
OVERLORD commented 2025-10-09 17:32:34 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

Try again with the latest image, I've upgraded the u2f crate and it might have solved the issue.

@dani-garcia commented on GitHub: Try again with the latest image, I've upgraded the u2f crate and it might have solved the issue.
OVERLORD commented 2025-10-09 17:32:34 +03:00
Author
Owner
Copy Link

@alien2003 commented on GitHub:

Still the same

[2020-01-21 13:39:28][error][ERROR] U2fError.
[CAUSE] BadCertificate
[2020-01-21 13:39:28][response][INFO] PUT /api/two-factor/u2f (activate_u2f_put) => 400 Bad Request
@alien2003 commented on GitHub: Still the same ``` [2020-01-21 13:39:28][error][ERROR] U2fError. [CAUSE] BadCertificate [2020-01-21 13:39:28][response][INFO] PUT /api/two-factor/u2f (activate_u2f_put) => 400 Bad Request ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1841
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?