starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

2FA not working #975

New Issue
Closed
opened 2026-02-04 23:31:54 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2026-02-04 23:31:54 +03:00
Owner
Copy Link

Originally created by @philw95 on GitHub (Mar 15, 2021).

Subject of the issue

2FA not working.
After login with email and password comes this error message:
chrome_rh0Ka345nI

I do not even get the possibility to enter the 2FA code
I have tested it with:
Google Authenticator
E-Mail

Everything works, just not 2FA

i use Traefik as Reverse Proxy

Deployment environment

Your environment (Generated via diagnostics page)

  • Bitwarden_rs version: v1.19.0
  • Web-vault version: v2.18.1
  • Running within Docker: true
  • Internet access: true
  • Uses a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********.****.*****",
  "domain_origin": "*****://*********.****.*****",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Bitwarden_RS",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": true,
  "rsa_key_filename": "data/rsa_key",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "*********@**.****.*****",
  "smtp_from_name": "Bitwarden_RS",
  "smtp_host": "**-**.*******.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "********************************",
  "templates_folder": "data/templates",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

  • bitwarden_rs version: v1.19.0

  • Install method: Docker image

  • Clients used: web vault, desktop, Android

  • Reverse proxy and version: Traefik 2.4.7

  • MySQL/MariaDB or PostgreSQL version: none

  • Other relevant details:

Steps to reproduce

Expected behaviour

Actual behaviour

Troubleshooting data

[2021-03-14 23:22:17.849][request][INFO] POST /api/accounts/prelogin
[2021-03-14 23:22:17.851][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2021-03-14 23:22:17.936][request][INFO] POST /identity/connect/token
[2021-03-14 23:22:17.996][error][ERROR] 2FA token not provided
[2021-03-14 23:22:17.996][response][INFO] POST /identity/connect/token (login) => 400 Bad Request

Traefik compose:

version: '3.8'
services:
  traefik:
    image: traefik
    command: "traefik --providers.docker"
    ports:
      - "80:80"
      - "443:443"
    networks:
      - default
    volumes:
      - type: bind
        source: ./traefik/traefik.toml
        target: /etc/traefik/traefik.toml
      - type: bind
        source: ../../../_files/traefik/netcup_key
        target: /etc/traefik/netcup_key
        read_only: true
      - type: bind
        source: ../../../_files/traefik/netcup_password
        target: /etc/traefik/netcup_password
        read_only: true
      - type: bind
        source: ../../../_files/traefik/netcup_id
        target: /etc/traefik/netcup_id
        read_only: true
      - type: bind
        source: ../../../_files/traefik/acme.json
        target: /etc/traefik/acme.json
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true
      - type: bind
        source: ./traefik/conf.d
        target: /etc/traefik/conf.d
    hostname: 'traefik'
    container_name: traefik
    environment:
      TZ: "Europe/Berlin"
      NETCUP_API_KEY_FILE: "/etc/traefik/netcup_key"
      NETCUP_API_PASSWORD_FILE: "/etc/traefik/netcup_password"
      NETCUP_CUSTOMER_NUMBER_FILE: "/etc/traefik/netcup_id"
    deploy:
        restart_policy:
          condition: any
          delay: 5s
          window: 120s
  error-pages:
    image: tarampampam/error-pages
    labels:
      traefik.enable: "true"
      traefik.docker.network: "weave"
      traefik.http.routers.error-pages-router.entrypoints: "https"
      traefik.http.routers.error-pages-router.middlewares: "error-pages-middleware@docker"
      traefik.http.routers.error-pages-router.rule: "HostRegexp(`{host:.+}`)"
      traefik.http.routers.error-pages-router.tls: "true"
      traefik.http.routers.error-pages-router.priority: "10"
      traefik.http.services.error-pages-service.loadbalancer.server.port: "8080"
      traefik.http.middlewares.error-pages-middleware.errors.query: "/{status}.html"
      traefik.http.middlewares.error-pages-middleware.errors.service: "error-pages-service@docker"
      traefik.http.middlewares.error-pages-middleware.errors.status: "400-599"
    hostname: 'error-pages'
    container_name: error-pages
    environment:
      TZ: "Europe/Berlin"
      TEMPLATE_NAME: "ghost"
    deploy:
        restart_policy:
          condition: any
          delay: 5s
          window: 120s

networks:
  default:
    external:
      name: weave

Traefik toml:

[global]
  checkNewVersion = true
  sendAnonymousUsage = true

[entryPoints]
  [entryPoints.http]
    address = ":80"

    [entryPoints.http.http.redirections.entryPoint]
      to = "https"
      scheme = "https"

  [entryPoints.https]
    address = ":443"

[providers]
  [providers.file]
    directory = "/etc/traefik/conf.d"
    watch = true

[certificatesResolvers.letsencrypt.acme]
  email = "E-MAIL"
  storage = "/etc/traefik/acme.json"
  [certificatesResolvers.letsencrypt.acme.dnsChallenge]
    provider = "netcup"
    delayBeforeCheck = 900
    resolvers = ["8.8.4.4:53", "8.8.8.8:53"]

[serversTransport]
  insecureSkipVerify = true

[log]
 level = "INFO"

[api]

[ping]

[providers.docker]
network = "weave"
exposedByDefault = false

default.toml

[http]
   [http.routers]
      [http.routers.traefik]
         entrypoints = ["https"]
         rule = "Host(`traefik.DOMAIN`)"
         middlewares = ["error-pages-middleware@docker"]
         service = "api@internal"
         [http.routers.traefik.tls]
      [http.routers.wildcard-certs-pkhw-cloud]
         entrypoints = ["http", "https"]
         rule = "Host(`traefik-compose-traefik`)"
         service = "api@internal"
         [http.routers.wildcard-certs-XXXX-cloud.tls]
            certresolver = "letsencrypt"
            [[http.routers.wildcard-certs-XXXX-cloud.tls.domains]]
               main = "DOMAIN"
               sans = ["*.DOMAIN"]
   [http.middlewares]
      [http.middlewares.sslheader.headers.customrequestheaders]
         X-Forwarded-Proto = "https"

Bitwarden compose:

version: '3.8'
services:
  bitwarden:
    image: bitwardenrs/server:latest
    volumes:
      - type: bind
        source: ../../../_files/bitwarden/data
        target: /data
    labels:
      traefik.enable: "true"
      traefik.docker.network: "weave"
      # UI
      traefik.http.routers.bitwarden-ui.entrypoints: "https"
      traefik.http.routers.bitwarden-ui.middlewares: "error-pages-middleware@docker"
      traefik.http.routers.bitwarden-ui.rule: "Host(`bitwarden.DOMAIN`)"
      traefik.http.routers.bitwarden-ui.tls.certresolver: "letsencrypt"
      traefik.http.routers.bitwarden-ui.tls: "true"
      traefik.http.routers.bitwarden-ui.service: "bitwarden-ui"
      traefik.http.services.bitwarden-ui.loadbalancer.server.port: "80"
      # websocket
      traefik.http.routers.bitwarden-websocket.entrypoints: "https"
      traefik.http.routers.bitwarden-websocket.middlewares: "error-pages-middleware@docker"
      traefik.http.routers.bitwarden-websocket.rule: "Host(`bitwarden.DOMAIN`) && Path(`/notifications/hub`)"
      traefik.http.routers.bitwarden-websocket.tls.certresolver: "letsencrypt"
      traefik.http.routers.bitwarden-websocket.tls: "true"
      traefik.http.routers.bitwarden-websocket.service: "bitwarden-websocket"
      traefik.http.services.bitwarden-websocket.loadbalancer.server.port: "3012"
    hostname: 'bitwarden'
    container_name: bitwarden
    env_file:
      - ../../../_files/bitwarden/bitwarden.env
    environment:
      TZ: "Europe/Berlin"
      DOMAIN: "https://bitwarden.DOMAIN"
      WEBSOCKET_ENABLED: "false"
      SIGNUPS_ALLOWED: "false"
    deploy:
        restart_policy:
          condition: any
          delay: 5s
          window: 120s
          
networks:
  default:
    external:
      name: weave
Originally created by @philw95 on GitHub (Mar 15, 2021). ### Subject of the issue 2FA not working. After login with email and password comes this error message: <img width="192" alt="chrome_rh0Ka345nI" src="https://user-images.githubusercontent.com/27635979/111086539-db508d80-851c-11eb-98e9-123be706db37.png"> I do not even get the possibility to enter the 2FA code I have tested it with: Google Authenticator E-Mail Everything works, just not 2FA i use Traefik as Reverse Proxy ### Deployment environment ### Your environment (Generated via diagnostics page) * Bitwarden_rs version: v1.19.0 * Web-vault version: v2.18.1 * Running within Docker: true * Internet access: true * Uses a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********.****.*****", "domain_origin": "*****://*********.****.*****", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "Bitwarden_RS", "invitations_allowed": true, "ip_header": "X-Real-IP", "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": true, "rsa_key_filename": "data/rsa_key", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "*********@**.****.*****", "smtp_from_name": "Bitwarden_RS", "smtp_host": "**-**.*******.***", "smtp_password": "***", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "********************************", "templates_folder": "data/templates", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` * bitwarden_rs version: v1.19.0 * Install method: Docker image * Clients used: web vault, desktop, Android * Reverse proxy and version: Traefik 2.4.7 * MySQL/MariaDB or PostgreSQL version: none * Other relevant details: ### Steps to reproduce ### Expected behaviour ### Actual behaviour ### Troubleshooting data [2021-03-14 23:22:17.849][request][INFO] POST /api/accounts/prelogin [2021-03-14 23:22:17.851][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK [2021-03-14 23:22:17.936][request][INFO] POST /identity/connect/token [2021-03-14 23:22:17.996][error][ERROR] 2FA token not provided [2021-03-14 23:22:17.996][response][INFO] POST /identity/connect/token (login) => 400 Bad Request <!-- Share any log files, screenshots, or other relevant troubleshooting data --> **Traefik compose:** ``` version: '3.8' services: traefik: image: traefik command: "traefik --providers.docker" ports: - "80:80" - "443:443" networks: - default volumes: - type: bind source: ./traefik/traefik.toml target: /etc/traefik/traefik.toml - type: bind source: ../../../_files/traefik/netcup_key target: /etc/traefik/netcup_key read_only: true - type: bind source: ../../../_files/traefik/netcup_password target: /etc/traefik/netcup_password read_only: true - type: bind source: ../../../_files/traefik/netcup_id target: /etc/traefik/netcup_id read_only: true - type: bind source: ../../../_files/traefik/acme.json target: /etc/traefik/acme.json - type: bind source: /var/run/docker.sock target: /var/run/docker.sock read_only: true - type: bind source: ./traefik/conf.d target: /etc/traefik/conf.d hostname: 'traefik' container_name: traefik environment: TZ: "Europe/Berlin" NETCUP_API_KEY_FILE: "/etc/traefik/netcup_key" NETCUP_API_PASSWORD_FILE: "/etc/traefik/netcup_password" NETCUP_CUSTOMER_NUMBER_FILE: "/etc/traefik/netcup_id" deploy: restart_policy: condition: any delay: 5s window: 120s error-pages: image: tarampampam/error-pages labels: traefik.enable: "true" traefik.docker.network: "weave" traefik.http.routers.error-pages-router.entrypoints: "https" traefik.http.routers.error-pages-router.middlewares: "error-pages-middleware@docker" traefik.http.routers.error-pages-router.rule: "HostRegexp(`{host:.+}`)" traefik.http.routers.error-pages-router.tls: "true" traefik.http.routers.error-pages-router.priority: "10" traefik.http.services.error-pages-service.loadbalancer.server.port: "8080" traefik.http.middlewares.error-pages-middleware.errors.query: "/{status}.html" traefik.http.middlewares.error-pages-middleware.errors.service: "error-pages-service@docker" traefik.http.middlewares.error-pages-middleware.errors.status: "400-599" hostname: 'error-pages' container_name: error-pages environment: TZ: "Europe/Berlin" TEMPLATE_NAME: "ghost" deploy: restart_policy: condition: any delay: 5s window: 120s networks: default: external: name: weave ``` Traefik toml: ``` [global] checkNewVersion = true sendAnonymousUsage = true [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.http.redirections.entryPoint] to = "https" scheme = "https" [entryPoints.https] address = ":443" [providers] [providers.file] directory = "/etc/traefik/conf.d" watch = true [certificatesResolvers.letsencrypt.acme] email = "E-MAIL" storage = "/etc/traefik/acme.json" [certificatesResolvers.letsencrypt.acme.dnsChallenge] provider = "netcup" delayBeforeCheck = 900 resolvers = ["8.8.4.4:53", "8.8.8.8:53"] [serversTransport] insecureSkipVerify = true [log] level = "INFO" [api] [ping] [providers.docker] network = "weave" exposedByDefault = false ``` default.toml ``` [http] [http.routers] [http.routers.traefik] entrypoints = ["https"] rule = "Host(`traefik.DOMAIN`)" middlewares = ["error-pages-middleware@docker"] service = "api@internal" [http.routers.traefik.tls] [http.routers.wildcard-certs-pkhw-cloud] entrypoints = ["http", "https"] rule = "Host(`traefik-compose-traefik`)" service = "api@internal" [http.routers.wildcard-certs-XXXX-cloud.tls] certresolver = "letsencrypt" [[http.routers.wildcard-certs-XXXX-cloud.tls.domains]] main = "DOMAIN" sans = ["*.DOMAIN"] [http.middlewares] [http.middlewares.sslheader.headers.customrequestheaders] X-Forwarded-Proto = "https" ``` **Bitwarden compose:** ``` version: '3.8' services: bitwarden: image: bitwardenrs/server:latest volumes: - type: bind source: ../../../_files/bitwarden/data target: /data labels: traefik.enable: "true" traefik.docker.network: "weave" # UI traefik.http.routers.bitwarden-ui.entrypoints: "https" traefik.http.routers.bitwarden-ui.middlewares: "error-pages-middleware@docker" traefik.http.routers.bitwarden-ui.rule: "Host(`bitwarden.DOMAIN`)" traefik.http.routers.bitwarden-ui.tls.certresolver: "letsencrypt" traefik.http.routers.bitwarden-ui.tls: "true" traefik.http.routers.bitwarden-ui.service: "bitwarden-ui" traefik.http.services.bitwarden-ui.loadbalancer.server.port: "80" # websocket traefik.http.routers.bitwarden-websocket.entrypoints: "https" traefik.http.routers.bitwarden-websocket.middlewares: "error-pages-middleware@docker" traefik.http.routers.bitwarden-websocket.rule: "Host(`bitwarden.DOMAIN`) && Path(`/notifications/hub`)" traefik.http.routers.bitwarden-websocket.tls.certresolver: "letsencrypt" traefik.http.routers.bitwarden-websocket.tls: "true" traefik.http.routers.bitwarden-websocket.service: "bitwarden-websocket" traefik.http.services.bitwarden-websocket.loadbalancer.server.port: "3012" hostname: 'bitwarden' container_name: bitwarden env_file: - ../../../_files/bitwarden/bitwarden.env environment: TZ: "Europe/Berlin" DOMAIN: "https://bitwarden.DOMAIN" WEBSOCKET_ENABLED: "false" SIGNUPS_ALLOWED: "false" deploy: restart_policy: condition: any delay: 5s window: 120s networks: default: external: name: weave ```
OVERLORD commented 2026-02-04 23:31:58 +03:00
Author
Owner
Copy Link

@philw95 commented on GitHub (Mar 16, 2021):

Doesn't anyone have an idea?

Is this a general bug?
Or only in my case with Traefik?

I have already tried a few things, but I can't get it to work.

Here from Chrome:
chrome_fuoaTmyK8i

chrome_BFgAoOmmSd
@philw95 commented on GitHub (Mar 16, 2021): Doesn't anyone have an idea? Is this a general bug? Or only in my case with Traefik? I have already tried a few things, but I can't get it to work. Here from Chrome: <img width="421" alt="chrome_fuoaTmyK8i" src="https://user-images.githubusercontent.com/27635979/111303414-c7a84280-8654-11eb-9f39-2996792ec4e2.png"> <img width="217" alt="chrome_BFgAoOmmSd" src="https://user-images.githubusercontent.com/27635979/111303178-8879f180-8654-11eb-9901-c8876e0568c9.png">
OVERLORD commented 2026-02-04 23:32:03 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Mar 16, 2021):

I think it is configuration. Please try the example from the wiki 'Traefik v2 (docker-compose example by hwwilliams)' https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples

@BlackDex commented on GitHub (Mar 16, 2021): I think it is configuration. Please try the example from the wiki 'Traefik v2 (docker-compose example by hwwilliams)' https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#975
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?