Portainer report Bitwarden-MySQL unhealthy when SSL is enabled. #411

New Issue

OVERLORD · 2026-02-04T20:22:05+03:00

OVERLORD commented

2026-02-04 20:22:05 +03:00

Originally created by @BobWs on GitHub (Sep 8, 2019).

Hi,

I’m getting an unhealthy report from portainer when ROCKET_TLS is enabled.

healthcheck.sh: 3: [: missing ] % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

Webvault works fine when browsing though Any browser. No problems with ssl warnings or whatsoever. Any idea why portainer is giving the warning? The certificate is Let’s Encript certificate.

I’m using a reverse proxy in front of the bitwarden server so I guess I could disable the ROCKET_TLS, right?

Originally created by @BobWs on GitHub (Sep 8, 2019). Hi, I’m getting an unhealthy report from portainer when ROCKET_TLS is enabled. `healthcheck.sh: 3: [: missing ] % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.` Webvault works fine when browsing though Any browser. No problems with ssl warnings or whatsoever. Any idea why portainer is giving the warning? The certificate is Let’s Encript certificate. I’m using a reverse proxy in front of the bitwarden server so I guess I could disable the ROCKET_TLS, right?

OVERLORD closed this issue

2026-02-04 20:22:06 +03:00

OVERLORD commented

2026-02-04 20:22:09 +03:00

@dani-garcia commented on GitHub (Sep 8, 2019):

Hmm, well the healthcheck is accessing localhost and the response contains a certificate for a separate domain so curl is giving an error, we might need to ignore certificate errors in that curl call.

@dani-garcia commented on GitHub (Sep 8, 2019): Hmm, well the healthcheck is accessing localhost and the response contains a certificate for a separate domain so curl is giving an error, we might need to ignore certificate errors in that curl call.

OVERLORD commented

2026-02-04 20:22:16 +03:00

@dani-garcia commented on GitHub (Sep 11, 2019):

I've changed it as mentioned so curl will ignore certificate errors in the latest commit, so we can close this.

About your latest comment that I just saw, if you are using a reverse proxy in the same local network, terminating SSL in the proxy and not using ROCKET_TLS is probably the best option.

@dani-garcia commented on GitHub (Sep 11, 2019): I've changed it as mentioned so curl will ignore certificate errors in the [latest commit](https://github.com/dani-garcia/bitwarden_rs/commit/f9408a00c6dbbf28ac9b29b0e7ee8f04bc76925c), so we can close this. About your latest comment that I just saw, if you are using a reverse proxy in the same local network, terminating SSL in the proxy and not using ROCKET_TLS is probably the best option.

OVERLORD commented

2026-02-04 20:22:22 +03:00

@BobWs commented on GitHub (Sep 12, 2019):

I've changed it as mentioned so curl will ignore certificate errors in the latest commit, so we can close this.

About your latest comment that I just saw, if you are using a reverse proxy in the same local network, terminating SSL in the proxy and not using ROCKET_TLS is probably the best option.

Thanks!

@BobWs commented on GitHub (Sep 12, 2019): > I've changed it as mentioned so curl will ignore certificate errors in the [latest commit](https://github.com/dani-garcia/bitwarden_rs/commit/f9408a00c6dbbf28ac9b29b0e7ee8f04bc76925c), so we can close this. > > About your latest comment that I just saw, if you are using a reverse proxy in the same local network, terminating SSL in the proxy and not using ROCKET_TLS is probably the best option. Thanks!

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#411