MS Exchange On-Prem Self-Signed SMTP cert prevents 2FA Mails #1891

New Issue

Closed

opened 2026-02-05 02:08:13 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-05 02:08:13 +03:00

Owner

Copy Link

Originally created by @senpro-ingwersenk on GitHub (Apr 8, 2024).

Subject of the issue

We have Vaultwarden deployed in a k3s cluster that is configured via the SMTP_* env variables to send emails through our on-premise Exchange server. However, this morning, a collegue noticed that, after I updated the instance this morning, that he could no longer receive emails for his MFA - and I found the related log message soon after.

[2024-04-08 08:26:35.442][panic][ERROR] thread 'tokio-runtime-worker' panicked at 'Error sending incomplete 2FA email: SMTP error: Connection error: Connection error: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: (self-signed certificate)': src/api/core/two_factor/mod.rs:273
   0: vaultwarden::init_logging::{{closure}}
   1: std::panicking::rust_panic_with_hook
   2: std::panicking::begin_panic_handler::{{closure}}
   3: std::sys_common::backtrace::__rust_end_short_backtrace
   4: rust_begin_unwind
   5: core::panicking::panic_fmt
   6: core::result::unwrap_failed
   7: vaultwarden::api::core::two_factor::send_incomplete_2fa_notifications::{{closure}}
   8: tokio::runtime::task::raw::poll
   9: tokio::runtime::scheduler::multi_thread::worker::Context::run_task
  10: tokio::runtime::scheduler::multi_thread::worker::run
  11: tokio::runtime::task::raw::poll
  12: std::sys_common::backtrace::__rust_begin_short_backtrace
  13: core::ops::function::FnOnce::call_once{{vtable.shim}}
  14: std::sys::unix::thread::Thread::new::thread_start

Deployment environment

• vaultwarden version: image: ghcr.io/dani-garcia/vaultwarden:1.30.5-alpine

• Install method: Kubernetes via k3s, deployment

• Clients used: Web Vault (Extension and Desktop Client work)

• Reverse proxy and version: Traefik as dictated by k3s

• MySQL/MariaDB or PostgreSQL version: image: docker.io/library/postgres:15-alpine

• Other relevant details: None I could really think of, sorry.

Steps to reproduce

According to my collegue, all he did was attempt to log in via the Web Vault to obtain login credentials. Upon entering his creds, he received an error page with the error above (minus the log wrap itself). The extension works fine, so I assume it just falls back to offline storage.

Expected behaviour

An email to be sent

Actual behaviour

It appears that Vaultwarden does not like Exchange's shenanigans related to certificates. Although we use starttls and the appropriate port (587), the above error is thrown.

I tried to look for a way to, at least temporarily, disable TLS verification to see if that solved the issue, but found none. Exchange isn't the most obvious about it's certs, according to another collegue with admin previleges (which I do not have), so I have to assume that Microsoft is doing Microsoft things...fun.

Troubleshooting data

See above.

Originally created by @senpro-ingwersenk on GitHub (Apr 8, 2024). ### Subject of the issue We have Vaultwarden deployed in a k3s cluster that is configured via the `SMTP_*` env variables to send emails through our on-premise Exchange server. However, this morning, a collegue noticed that, after I updated the instance this morning, that he could no longer receive emails for his MFA - and I found the related log message soon after. ``` [2024-04-08 08:26:35.442][panic][ERROR] thread 'tokio-runtime-worker' panicked at 'Error sending incomplete 2FA email: SMTP error: Connection error: Connection error: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: (self-signed certificate)': src/api/core/two_factor/mod.rs:273 0: vaultwarden::init_logging::{{closure}} 1: std::panicking::rust_panic_with_hook 2: std::panicking::begin_panic_handler::{{closure}} 3: std::sys_common::backtrace::__rust_end_short_backtrace 4: rust_begin_unwind 5: core::panicking::panic_fmt 6: core::result::unwrap_failed 7: vaultwarden::api::core::two_factor::send_incomplete_2fa_notifications::{{closure}} 8: tokio::runtime::task::raw::poll 9: tokio::runtime::scheduler::multi_thread::worker::Context::run_task 10: tokio::runtime::scheduler::multi_thread::worker::run 11: tokio::runtime::task::raw::poll 12: std::sys_common::backtrace::__rust_begin_short_backtrace 13: core::ops::function::FnOnce::call_once{{vtable.shim}} 14: std::sys::unix::thread::Thread::new::thread_start ``` ### Deployment environment <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: `image: ghcr.io/dani-garcia/vaultwarden:1.30.5-alpine` <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Kubernetes via k3s, deployment * Clients used: Web Vault (Extension and Desktop Client work) * Reverse proxy and version: Traefik as dictated by k3s * MySQL/MariaDB or PostgreSQL version: `image: docker.io/library/postgres:15-alpine` * Other relevant details: None I could really think of, sorry. ### Steps to reproduce According to my collegue, all he did was attempt to log in via the Web Vault to obtain login credentials. Upon entering his creds, he received an error page with the error above (minus the log wrap itself). The extension works fine, so I assume it just falls back to offline storage. ### Expected behaviour An email to be sent ### Actual behaviour It appears that Vaultwarden does not like Exchange's shenanigans related to certificates. Although we use `starttls` and the appropriate port (587), the above error is thrown. I tried to look for a way to, at least temporarily, disable TLS verification to see if that solved the issue, but found none. Exchange isn't the most obvious about it's certs, according to another collegue with admin previleges (which I do not have), so I have to assume that Microsoft is doing Microsoft things...fun. ### Troubleshooting data See above.

OVERLORD closed this issue 2026-02-05 02:08:14 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1891