starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

Android App Problem with Certificate at login! #2218

New Issue
Closed
opened 2026-02-05 03:37:42 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2026-02-05 03:37:42 +03:00
Owner
Copy Link

Originally created by @rira2005 on GitHub (Mar 17, 2025).

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.33.2
  • Web-vault version: v2025.1.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.48.0
  • Environment settings overridden!: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: false
  • HTTPS Check: false
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "****************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "****://***************",
  "domain_origin": "****://***************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": "api-421bdf87.duosecurity.com",
  "duo_ikey": "DI3XWEHI0E5O7YG0BYYZ",
  "duo_skey": "***",
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "My Networxx",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": true,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "/data/templates",
  "tmp_folder": "/data/tmp",
  "trash_auto_delete_days": 100,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

Version 1.33.2

Deployment method

Official Container Image

Custom deployment method

Hello,

I have installed Vaultwarden as an add-on on my HA system.
I uploaded official wildcard certificates for my domain, started the service, and connected on port 7277.
I created a user, and everything worked perfectly.

Then, I downloaded the Bitwarden app for Android on my S24.
I set up my own server as the host: https://host.domain.com:7277/ (DNS resolves internally!).
Certificate Issuer : https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates
After entering my email and master password, I get the following certificate error:

An error has occurred. We could not verify the server's certificate. The certificate chain or proxy settings on the device or the Bitwarden server may not be set up correctly.

I have already checked that the certificate chain is included in the certificate.
I don’t use a proxy, and the server has direct internet access.

What can I do to fix this?

Thanks,
Raphael

Reverse Proxy

init-nginx

Host/Server Operating System

Linux

Operating System Version

System: Home Assistant OS 14.2 (amd64 / qemux86-64)

Clients

Android

Client Version

2025.2.0

Steps To Reproduce

I have installed Vaultwarden as an add-on on my HA system.
I uploaded official wildcard certificates for my domain, started the service, and connected on port 7277.
I created a user, and everything worked perfectly.

Then, I downloaded the Bitwarden app for Android on my S24.
I set up my own server as the host: https://host.domain.com:7277/ (DNS resolves internally!).
Certificate Issuer : https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates
After entering my email and master password, I get the following certificate error:

An error has occurred. We could not verify the server's certificate. The certificate chain or proxy settings on the device or the Bitwarden server may not be set up correctly.

I have already checked that the certificate chain is included in the certificate.(can be provied but only on a secure way ;-))
I don’t use a proxy, and the server has direct internet access.

What can I do to fix this?

Thanks,
Raphael

Expected Result

To logon with the Android App correctly!

Actual Result

An error has occurred. We could not verify the server's certificate. The certificate chain or proxy settings on the device or the Bitwarden server may not be set up correctly.

Logs

[18:02:35] INFO: 
[18:02:35] INFO: 
[18:02:35] INFO: READ THIS CAREFULLY! READ THIS CAREFULLY!
[18:02:35] INFO: 
[18:02:35] INFO: 
[18:02:35] INFO: This is your temporary random admin token/password!
[18:02:35] INFO: 
[18:02:35] INFO: 
[18:02:35] INFO: 
[18:02:35] INFO: Be sure to change it in the admin panel, as soon as possible.
[18:02:35] INFO: 
[18:02:35] INFO: After you have changed ANY setting in the admin panel,
[18:02:35] INFO: the add-on will NOT generate a new token on each start
[18:02:35] INFO: and stops showing this message.
[18:02:35] INFO: 
[18:02:36] INFO: Starting the Vaultwarden server...
/--------------------------------------------------------------------\
|                        Starting Vaultwarden                        |
|                           Version 1.33.2                           |
|--------------------------------------------------------------------|
| This is an *unofficial* Bitwarden implementation, DO NOT use the   |
| official channels to report bugs/features, regardless of client.   |
| Send usage/configuration questions or feature requests to:         |
|   https://github.com/dani-garcia/vaultwarden/discussions or        |
|   https://vaultwarden.discourse.group/                             |
| Report suspected bugs/issues in the software itself at:            |
|   https://github.com/dani-garcia/vaultwarden/issues/new            |
\--------------------------------------------------------------------/
[NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.
Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.
See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
[2025-03-17 18:02:36.455][vaultwarden::auth][INFO] Private key '/data/rsa_key.pem' created correctly
[2025-03-17 18:02:36.663][start][INFO] Rocket has launched from http://127.0.0.1:80
s6-rc: info: service init-nginx successfully started
s6-rc: info: service nginx: starting
s6-rc: info: service nginx successfully started
s6-rc: info: service legacy-services: starting
[18:02:36] INFO: Starting NGinx...
s6-rc: info: service legacy-services successfully started
2025/03/17 18:02:36 [warn] 395#395: "ssl_stapling" ignored, issuer certificate not found for certificate "/ssl/hidden_mydomain.com.pem"
[2025-03-17 18:02:55.492][request][INFO] GET /admin
[2025-03-17 18:02:55.493][response][INFO] (admin_page_login) GET /admin/ [2] => 200 OK
[2025-03-17 18:02:58.445][request][INFO] POST /admin
[2025-03-17 18:02:58.462][response][INFO] (post_admin_login) POST /admin/ application/x-www-form-urlencoded => 200 OK

Screenshots or Videos

No response

Additional Context

See this in the Logs, but allready tested it with openssl and the certificate chain seens to bee okay!

2025/03/17 18:02:36 [warn] 395#395: "ssl_stapling" ignored, issuer certificate not found for certificate "/ssl/hidden_mydomain.com.pem"

Originally created by @rira2005 on GitHub (Mar 17, 2025). ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.2 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: SQLite * Database version: 3.48.0 * Environment settings overridden!: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: false * HTTPS Check: false * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "/data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "****************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "****://***************", "domain_origin": "****://***************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": "api-421bdf87.duosecurity.com", "duo_ikey": "DI3XWEHI0E5O7YG0BYYZ", "duo_skey": "***", "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "My Networxx", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": true, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*************", "smtp_from_name": "Vaultwarden", "smtp_host": "************", "smtp_password": null, "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "/data/templates", "tmp_folder": "/data/tmp", "trash_auto_delete_days": 100, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version Version 1.33.2 ### Deployment method Official Container Image ### Custom deployment method Hello, I have installed Vaultwarden as an add-on on my HA system. I uploaded official wildcard certificates for my domain, started the service, and connected on port 7277. I created a user, and everything worked perfectly. Then, I downloaded the Bitwarden app for Android on my S24. I set up my own server as the host: https://host.domain.com:7277/ (DNS resolves internally!). Certificate Issuer : https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates After entering my email and master password, I get the following certificate error: An error has occurred. We could not verify the server's certificate. The certificate chain or proxy settings on the device or the Bitwarden server may not be set up correctly. I have already checked that the certificate chain is included in the certificate. I don’t use a proxy, and the server has direct internet access. What can I do to fix this? Thanks, Raphael ### Reverse Proxy init-nginx ### Host/Server Operating System Linux ### Operating System Version System: Home Assistant OS 14.2 (amd64 / qemux86-64) ### Clients Android ### Client Version 2025.2.0 ### Steps To Reproduce I have installed Vaultwarden as an add-on on my HA system. I uploaded official wildcard certificates for my domain, started the service, and connected on port 7277. I created a user, and everything worked perfectly. Then, I downloaded the Bitwarden app for Android on my S24. I set up my own server as the host: https://host.domain.com:7277/ (DNS resolves internally!). Certificate Issuer : https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates After entering my email and master password, I get the following certificate error: An error has occurred. We could not verify the server's certificate. The certificate chain or proxy settings on the device or the Bitwarden server may not be set up correctly. I have already checked that the certificate chain is included in the certificate.(can be provied but only on a secure way ;-)) I don’t use a proxy, and the server has direct internet access. What can I do to fix this? Thanks, Raphael ### Expected Result To logon with the Android App correctly! ### Actual Result An error has occurred. We could not verify the server's certificate. The certificate chain or proxy settings on the device or the Bitwarden server may not be set up correctly. ### Logs ```text [18:02:35] INFO: [18:02:35] INFO: [18:02:35] INFO: READ THIS CAREFULLY! READ THIS CAREFULLY! [18:02:35] INFO: [18:02:35] INFO: [18:02:35] INFO: This is your temporary random admin token/password! [18:02:35] INFO: [18:02:35] INFO: [18:02:35] INFO: [18:02:35] INFO: Be sure to change it in the admin panel, as soon as possible. [18:02:35] INFO: [18:02:35] INFO: After you have changed ANY setting in the admin panel, [18:02:35] INFO: the add-on will NOT generate a new token on each start [18:02:35] INFO: and stops showing this message. [18:02:35] INFO: [18:02:36] INFO: Starting the Vaultwarden server... /--------------------------------------------------------------------\ | Starting Vaultwarden | | Version 1.33.2 | |--------------------------------------------------------------------| | This is an *unofficial* Bitwarden implementation, DO NOT use the | | official channels to report bugs/features, regardless of client. | | Send usage/configuration questions or feature requests to: | | https://github.com/dani-garcia/vaultwarden/discussions or | | https://vaultwarden.discourse.group/ | | Report suspected bugs/issues in the software itself at: | | https://github.com/dani-garcia/vaultwarden/issues/new | \--------------------------------------------------------------------/ [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure. Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`. See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token [2025-03-17 18:02:36.455][vaultwarden::auth][INFO] Private key '/data/rsa_key.pem' created correctly [2025-03-17 18:02:36.663][start][INFO] Rocket has launched from http://127.0.0.1:80 s6-rc: info: service init-nginx successfully started s6-rc: info: service nginx: starting s6-rc: info: service nginx successfully started s6-rc: info: service legacy-services: starting [18:02:36] INFO: Starting NGinx... s6-rc: info: service legacy-services successfully started 2025/03/17 18:02:36 [warn] 395#395: "ssl_stapling" ignored, issuer certificate not found for certificate "/ssl/hidden_mydomain.com.pem" [2025-03-17 18:02:55.492][request][INFO] GET /admin [2025-03-17 18:02:55.493][response][INFO] (admin_page_login) GET /admin/ [2] => 200 OK [2025-03-17 18:02:58.445][request][INFO] POST /admin [2025-03-17 18:02:58.462][response][INFO] (post_admin_login) POST /admin/ application/x-www-form-urlencoded => 200 OK ``` ### Screenshots or Videos _No response_ ### Additional Context See this in the Logs, but allready tested it with openssl and the certificate chain seens to bee okay! 2025/03/17 18:02:36 [warn] 395#395: "ssl_stapling" ignored, issuer certificate not found for certificate "/ssl/hidden_mydomain.com.pem"
OVERLORD added the bug label 2026-02-05 03:37:42 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2218
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?