starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-01 11:19:52 +03:00
Code Issues 32 Packages Projects Releases 12 Wiki Activity

OnlyKey U2F does not work #573

New Issue
Closed
opened 2026-02-04 21:36:32 +03:00 by OVERLORD · 3 comments
OVERLORD commented 2026-02-04 21:36:32 +03:00
Owner
Copy Link

Originally created by @alien2003 on GitHub (Jan 18, 2020).

bitwarden_rs with nginx proxy, let's encrypt certificate does not work with OnlyKey.io U2F.

Bitwarden started with command:

docker run -d --name bitwarden \
-e SIGNUPS_ALLOWED=false \
-e WEBSOCKET_ENABLED=true \
-e DOMAIN=https://bw.darkn.space \
-v /opt/bitwarden-rs/:/data/ \
bitwardenrs/server:latest

Nginx config:

server {
  listen 443 ssl http2;
  server_name bw.darkn.space;

  # Specify SSL config if using a shared one.
  #include conf.d/ssl/ssl.conf;

  # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
  ssl_certificate /root/dehydrated/certs/bw.darkn.space/fullchain.pem;
  #/etc/letsencrypt/live/darkn.space/fullchain.pem;
  ssl_certificate_key /root/dehydrated/certs/bw.darkn.space/privkey.pem;
  #/etc/letsencrypt/live/darkn.space/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # intermediate configuration. tweak to your needs.
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  ssl_prefer_server_ciphers on;

  # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  add_header Strict-Transport-Security max-age=15768000;

  # OCSP Stapling ---
  # fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;

  ## verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /root/dehydrated/certs/bw.darkn.space/chain.pem;

  #resolver <IP DNS resolver>;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://172.17.0.3:80;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://172.17.0.3:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://172.17.0.3:80;
  }

  # Optionally add extra authentication besides the AUTH_TOKEN
  # If you don't want this, leave this part out
  location /admin {
    # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    #auth_basic "Private";
    #auth_basic_user_file /path/to/htpasswd_file;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://172.17.0.3:80;
  }

}

Bitwarden_rs logs:

[2020-01-18 16:17:13][request][INFO] PUT /api/two-factor/u2f
[2020-01-18 16:17:13][error][ERROR] U2fError.
[CAUSE] BadCertificate
[2020-01-18 16:17:13][response][INFO] PUT /api/two-factor/u2f (activate_u2f_put) => 400 Bad Request
Originally created by @alien2003 on GitHub (Jan 18, 2020). bitwarden_rs with nginx proxy, let's encrypt certificate does not work with OnlyKey.io U2F. Bitwarden started with command: ``` docker run -d --name bitwarden \ -e SIGNUPS_ALLOWED=false \ -e WEBSOCKET_ENABLED=true \ -e DOMAIN=https://bw.darkn.space \ -v /opt/bitwarden-rs/:/data/ \ bitwardenrs/server:latest ``` Nginx config: ``` server { listen 443 ssl http2; server_name bw.darkn.space; # Specify SSL config if using a shared one. #include conf.d/ssl/ssl.conf; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /root/dehydrated/certs/bw.darkn.space/fullchain.pem; #/etc/letsencrypt/live/darkn.space/fullchain.pem; ssl_certificate_key /root/dehydrated/certs/bw.darkn.space/privkey.pem; #/etc/letsencrypt/live/darkn.space/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/ssl/certs/dhparam.pem; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /root/dehydrated/certs/bw.darkn.space/chain.pem; #resolver <IP DNS resolver>; # Allow large attachments client_max_body_size 128M; location / { proxy_pass http://172.17.0.3:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /notifications/hub { proxy_pass http://172.17.0.3:3012; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /notifications/hub/negotiate { proxy_pass http://172.17.0.3:80; } # Optionally add extra authentication besides the AUTH_TOKEN # If you don't want this, leave this part out location /admin { # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ #auth_basic "Private"; #auth_basic_user_file /path/to/htpasswd_file; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://172.17.0.3:80; } } ``` Bitwarden_rs logs: ``` [2020-01-18 16:17:13][request][INFO] PUT /api/two-factor/u2f [2020-01-18 16:17:13][error][ERROR] U2fError. [CAUSE] BadCertificate [2020-01-18 16:17:13][response][INFO] PUT /api/two-factor/u2f (activate_u2f_put) => 400 Bad Request ```
OVERLORD commented 2026-02-04 21:36:35 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Jan 20, 2020):

Try again with the latest image, I've upgraded the u2f crate and it might have solved the issue.

@dani-garcia commented on GitHub (Jan 20, 2020): Try again with the latest image, I've upgraded the u2f crate and it might have solved the issue.
OVERLORD commented 2026-02-04 21:36:39 +03:00
Author
Owner
Copy Link

@alien2003 commented on GitHub (Jan 21, 2020):

Still the same

[2020-01-21 13:39:28][error][ERROR] U2fError.
[CAUSE] BadCertificate
[2020-01-21 13:39:28][response][INFO] PUT /api/two-factor/u2f (activate_u2f_put) => 400 Bad Request
@alien2003 commented on GitHub (Jan 21, 2020): Still the same ``` [2020-01-21 13:39:28][error][ERROR] U2fError. [CAUSE] BadCertificate [2020-01-21 13:39:28][response][INFO] PUT /api/two-factor/u2f (activate_u2f_put) => 400 Bad Request ```
OVERLORD commented 2026-02-04 21:36:44 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Nov 18, 2020):

Closing this ticket because of inactivity.
Feel free to re-open if the issue isn't resolved using the testing/master version.

@BlackDex commented on GitHub (Nov 18, 2020): Closing this ticket because of inactivity. Feel free to re-open if the issue isn't resolved using the `testing`/`master` version.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#573
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?