github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-05-07 03:23:29 -05:00
Code Issues 1.1k Packages Projects Releases 122 Wiki Activity

[GH-ISSUE #4590] Connection failure to self hosted vaultwarden behind lets encrypt certificate #21398

New Issue
Closed
opened 2026-04-16 21:52:00 -05:00 by GiteaMirror · 16 comments
GiteaMirror commented 2026-04-16 21:52:00 -05:00
Owner
Copy Link

Originally created by @heeen on GitHub (Jan 19, 2025).
Original GitHub issue: https://github.com/bitwarden/android/issues/4590

Steps To Reproduce

I have a vaultwarden instance that has not given me any issues until recently. First I received "cannot serve your request, contact us" errors. After signing out and trying to sign back in, I am getting a certificate validation error. Chrome says my certificate is OK. firefox extension on linux has no issue connecting and synchronizing.

FWIW I am in the beta program on android (2025.1.0). This is on a Google Pixel 6 Pro, Android 15

Expected Result

Connection should work as expected and as on other platforms

Actual Result

SSL connection error

Screenshots or Videos

No response

Additional Context

No response

Build Version

2025.1.0

What server are you connecting to?

Self-host

Self-host Server Version

vaultwarden 1.32.7

Environment Details

Pixel 6 Pro
Android 15

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Originally created by @heeen on GitHub (Jan 19, 2025). Original GitHub issue: https://github.com/bitwarden/android/issues/4590 ### Steps To Reproduce I have a vaultwarden instance that has not given me any issues until recently. First I received "cannot serve your request, contact us" errors. After signing out and trying to sign back in, I am getting a certificate validation error. Chrome says my certificate is OK. firefox extension on linux has no issue connecting and synchronizing. FWIW I am in the beta program on android (2025.1.0). This is on a Google Pixel 6 Pro, Android 15 ### Expected Result Connection should work as expected and as on other platforms ### Actual Result SSL connection error ### Screenshots or Videos _No response_ ### Additional Context _No response_ ### Build Version 2025.1.0 ### What server are you connecting to? Self-host ### Self-host Server Version vaultwarden 1.32.7 ### Environment Details Pixel 6 Pro Android 15 ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
GiteaMirror added the bug label 2026-04-16 21:52:00 -05:00
GiteaMirror commented 2026-04-16 21:52:01 -05:00
Author
Owner
Copy Link

@bitwarden-bot commented on GitHub (Jan 19, 2025):

Thank you for your report! We've added this to our internal board for review.
ID: PM-17240

<!-- gh-comment-id:2601018650 --> @bitwarden-bot commented on GitHub (Jan 19, 2025): Thank you for your report! We've added this to our internal board for review. ID: PM-17240
GiteaMirror commented 2026-04-16 21:52:02 -05:00
Author
Owner
Copy Link

@decentropy commented on GitHub (Jan 19, 2025):

Came here to report same issue.

It started this morning.
I even force installed older versions from F-Droid, but gives same error.

This occurs on my samsung tablet and wife's pixel, not on my OnePlus phone. I verified can reach self hosted web vault from all devices via browser.

<!-- gh-comment-id:2601034110 --> @decentropy commented on GitHub (Jan 19, 2025): Came here to report same issue. It started this morning. I even force installed older versions from F-Droid, but gives same error. This occurs on my samsung tablet and wife's pixel, not on my OnePlus phone. I verified can reach self hosted web vault from all devices via browser.
GiteaMirror commented 2026-04-16 21:52:02 -05:00
Author
Owner
Copy Link

@BBGhub commented on GitHub (Jan 20, 2025):

Hi There,

This error often occurs when using older versions of Vaultwarden with the updated native app. To resolve this:

Update Vaultwarden: Ensure your server is up-to-date. For instance, Vaultwarden added support for native apps in version 1.31.0. If you're running an earlier version, upgrading should fix the issue.

Clear Cache: After updating, clear the app cache or restart the app.

While Bitwarden clients generally work with non-official servers, we cannot guarantee full compatibility. Keeping your server updated ensures compatibility with the latest features. Please note our support is limited for non-official servers.

<!-- gh-comment-id:2601179925 --> @BBGhub commented on GitHub (Jan 20, 2025): Hi There, This error often occurs when using older versions of Vaultwarden with the updated native app. To resolve this: Update Vaultwarden: Ensure your server is up-to-date. For instance, Vaultwarden added support for native apps in version 1.31.0. If you're running an earlier version, upgrading should fix the issue. Clear Cache: After updating, clear the app cache or restart the app. While Bitwarden clients generally work with non-official servers, we cannot guarantee full compatibility. Keeping your server updated ensures compatibility with the latest features. Please note our support is limited for non-official servers.
GiteaMirror commented 2026-04-16 21:52:03 -05:00
Author
Owner
Copy Link

@heeen commented on GitHub (Jan 20, 2025):

My vaultwarden is current. The log does not show any requests from the android client so i doubt it is the problem, rather the https stack as used by bitwarden android

<!-- gh-comment-id:2601453143 --> @heeen commented on GitHub (Jan 20, 2025): My vaultwarden is current. The log does not show any requests from the android client so i doubt it is the problem, rather the https stack as used by bitwarden android
GiteaMirror commented 2026-04-16 21:52:03 -05:00
Author
Owner
Copy Link

@BBGhub commented on GitHub (Jan 20, 2025):

Thanks for your reply.

It is important to note that Vaultwarden is not associated with Bitwarden. Vaultwarden is a re-writing of the Bitwarden server code in Rust (n.b. Vaultwarden is NOT a fork of Bitwarden), that is not contributed to nor supported by the Bitwarden team or organisation.

The security audits granted to Bitwarden do not apply to Vaultwarden, and the Bitwarden support team is not able to respond to questions regarding Vaultwarden.

Support options for Vaultwarden are found here:
https://github.com/dani-garcia/vaultwarden?tab=readme-ov-file#get-in-touch

Bitwarden also offers a self-hosted option, with multiple deployment options, including for air-gapped deployments. You can find information on Bitwarden’s deployment options here:

https://bitwarden.com/help/install-on-premise-linux/

https://bitwarden.com/help/install-and-deploy-offline/

<!-- gh-comment-id:2601456813 --> @BBGhub commented on GitHub (Jan 20, 2025): Thanks for your reply. It is important to note that Vaultwarden is not associated with Bitwarden. Vaultwarden is a re-writing of the Bitwarden server code in Rust (n.b. Vaultwarden is NOT a fork of Bitwarden), that is not contributed to nor supported by the Bitwarden team or organisation. The security audits granted to Bitwarden do not apply to Vaultwarden, and the Bitwarden support team is not able to respond to questions regarding Vaultwarden. Support options for Vaultwarden are found here: https://github.com/dani-garcia/vaultwarden?tab=readme-ov-file#get-in-touch Bitwarden also offers a self-hosted option, with multiple deployment options, including for air-gapped deployments. You can find information on Bitwarden’s deployment options here: https://bitwarden.com/help/install-on-premise-linux/ https://bitwarden.com/help/install-and-deploy-offline/
GiteaMirror commented 2026-04-16 21:52:04 -05:00
Author
Owner
Copy Link

@redge76 commented on GitHub (Jan 20, 2025):

Got the same issue. I don't see any log in my traefik reverse proxy.
I'm behind a cloudflared tunnel.
So somehing blocks the connection on the phone or in cloudflare.
My vw instance in configured to serve the service in a subdirectory in URL.

<!-- gh-comment-id:2602905921 --> @redge76 commented on GitHub (Jan 20, 2025): Got the same issue. I don't see any log in my traefik reverse proxy. I'm behind a cloudflared tunnel. So somehing blocks the connection on the phone or in cloudflare. My vw instance in configured to serve the service in a subdirectory in URL.
GiteaMirror commented 2026-04-16 21:52:04 -05:00
Author
Owner
Copy Link

@heeen commented on GitHub (Jan 20, 2025):

I can see a connection attempt in a tcpdump log, but no http request server side. I haven't analyzed the log further.

<!-- gh-comment-id:2602992637 --> @heeen commented on GitHub (Jan 20, 2025): I can see a connection attempt in a tcpdump log, but no http request server side. I haven't analyzed the log further.
GiteaMirror commented 2026-04-16 21:52:04 -05:00
Author
Owner
Copy Link

@redge76 commented on GitHub (Jan 20, 2025):

Originally, my Vaultwarden instance was behind a Cloudflare tunnel. Here is the connection process:

  1. The client requests the IP for vaultwarden.my-domain.com.
  2. Cloudflare responds with one of its IP addresses.
  3. The client connects to this IP, and Cloudflare routes the connection to my home server through a cloudflared tunnel (no IP is exposed on my side). --> In this configuration, the web app works, but the Android app does not.

Here are the tests I made:

  • I added an entry in my local home DNS for vaultwarden.my-domain.com that points directly to the local IP of my home server. --> Both the web app and Android app work.

  • I disabled the tunnel in Cloudflare and used it simply as a reverse proxy. --> The web app works, but the Android app does not.

  • I disabled both the tunnel and the Cloudflare proxy (so Cloudflare is just used as DNS). With the vaultwarden.my-domain.com query, I get the external IP of my home router. --> The web app works, but the Android app does not.

So, is there something new with how the Android app resolves DNS queries? It seems like it doesn't like Cloudflare DNS (or Cloudflare doesn't like how the app sends its queries).

<!-- gh-comment-id:2603286115 --> @redge76 commented on GitHub (Jan 20, 2025): Originally, my Vaultwarden instance was behind a Cloudflare tunnel. Here is the connection process: 1. The client requests the IP for vaultwarden.my-domain.com. 2. Cloudflare responds with one of its IP addresses. 3. The client connects to this IP, and Cloudflare routes the connection to my home server through a cloudflared tunnel (no IP is exposed on my side). --> In this configuration, the web app works, but the Android app does not. Here are the tests I made: * I added an entry in my local home DNS for vaultwarden.my-domain.com that points directly to the local IP of my home server. --> Both the web app and Android app work. * I disabled the tunnel in Cloudflare and used it simply as a reverse proxy. --> The web app works, but the Android app does not. * I disabled both the tunnel and the Cloudflare proxy (so Cloudflare is just used as DNS). With the vaultwarden.my-domain.com query, I get the external IP of my home router. --> The web app works, but the Android app does not. So, is there something new with how the Android app resolves DNS queries? It seems like it doesn't like Cloudflare DNS (or Cloudflare doesn't like how the app sends its queries).
GiteaMirror commented 2026-04-16 21:52:05 -05:00
Author
Owner
Copy Link

@heeen commented on GitHub (Jan 20, 2025):

I have a working theory - after ruling many other issues out - that it could be related to http2 as it seems like my bitwarden server is not offering http2 properly. The login request never reaches my server, it fails at the reverse proxy.

<!-- gh-comment-id:2603291898 --> @heeen commented on GitHub (Jan 20, 2025): I have a working theory - after ruling many other issues out - that it could be related to http2 as it seems like my bitwarden server is not offering http2 properly. The login request never reaches my server, it fails at the reverse proxy.
GiteaMirror commented 2026-04-16 21:52:06 -05:00
Author
Owner
Copy Link

@redge76 commented on GitHub (Jan 20, 2025):

I'm on free plan and I can't disable it. Can you ?
https://developers.cloudflare.com/speed/optimization/protocol/http2/

HTTP/2 to Origin is not the issue as It works with the web client. Don't you think ?

<!-- gh-comment-id:2603298753 --> @redge76 commented on GitHub (Jan 20, 2025): I'm on free plan and I can't disable it. Can you ? https://developers.cloudflare.com/speed/optimization/protocol/http2/ HTTP/2 to Origin is not the issue as It works with the web client. Don't you think ?
GiteaMirror commented 2026-04-16 21:52:06 -05:00
Author
Owner
Copy Link

@decentropy commented on GitHub (Jan 20, 2025):

to confirm... after upgrading my vaultwarden docker to latest, it resolved issue and android apps working again

<!-- gh-comment-id:2603304626 --> @decentropy commented on GitHub (Jan 20, 2025): to confirm... after upgrading my vaultwarden docker to latest, it resolved issue and android apps working again
GiteaMirror commented 2026-04-16 21:52:07 -05:00
Author
Owner
Copy Link

@redge76 commented on GitHub (Jan 20, 2025):

to confirm... after upgrading my vaultwarden docker to latest, it resolved issue and android apps working again

Are you behind a cloudflare reverse proxy? My vaultwarden instance is already upgraded to the latest version

<!-- gh-comment-id:2603306929 --> @redge76 commented on GitHub (Jan 20, 2025): > to confirm... after upgrading my vaultwarden docker to latest, it resolved issue and android apps working again Are you behind a cloudflare reverse proxy? My vaultwarden instance is already upgraded to the latest version
GiteaMirror commented 2026-04-16 21:52:07 -05:00
Author
Owner
Copy Link

@heeen commented on GitHub (Jan 20, 2025):

fixed my http2 reverse proxy config and it did not help.

<!-- gh-comment-id:2603310440 --> @heeen commented on GitHub (Jan 20, 2025): fixed my http2 reverse proxy config and it did not help.
GiteaMirror commented 2026-04-16 21:52:08 -05:00
Author
Owner
Copy Link

@redge76 commented on GitHub (Jan 20, 2025):

OK so I found what was wrong. My fault.
My vw instance is protected by a "google oauth" authentication provided by cloudflare.
If I disable this, my app connect correctly. I don't know. May be I had an exception I removed.
So now I will wait for https://github.com/bitwarden/android/pull/4486 to protect my vw with mtls instead of google oauth.

<!-- gh-comment-id:2603327910 --> @redge76 commented on GitHub (Jan 20, 2025): OK so I found what was wrong. My fault. My vw instance is protected by a "google oauth" authentication provided by cloudflare. If I disable this, my app connect correctly. I don't know. May be I had an exception I removed. So now I will wait for https://github.com/bitwarden/android/pull/4486 to protect my vw with mtls instead of google oauth.
GiteaMirror commented 2026-04-16 21:52:08 -05:00
Author
Owner
Copy Link

@heeen commented on GitHub (Jan 21, 2025):

My issue solved itself overnight, which is disappointing from a debugging point of view. I can't even reproduce it to root cause it. I had a DNS issue on my host VM which I worked around by adding 8.8.8.8 to resolv.conf earlier that day. I wonder if there's any correlation between DNS failures server side and ssl connections failing client side .

<!-- gh-comment-id:2604237706 --> @heeen commented on GitHub (Jan 21, 2025): My issue solved itself overnight, which is disappointing from a debugging point of view. I can't even reproduce it to root cause it. I had a DNS issue on my host VM which I worked around by adding 8.8.8.8 to resolv.conf earlier that day. I wonder if there's any correlation between DNS failures server side and ssl connections failing client side .
GiteaMirror commented 2026-04-16 21:52:09 -05:00
Author
Owner
Copy Link

@scottwmaxwell commented on GitHub (Jan 22, 2025):

I was experiencing the same issue.
Context: I'm using Vaultwarden via CasaOS and a reverse proxy to use https.

I managed to update Vaultwarden, which wasn't obvious (to me) on CasaOS.

  • Select the three dots for the app
  • Select settings and select "Latest" for the "Tag"
  • Save then select the three dots again and hit the restart icon
<!-- gh-comment-id:2606204852 --> @scottwmaxwell commented on GitHub (Jan 22, 2025): I was experiencing the same issue. Context: I'm using Vaultwarden via CasaOS and a reverse proxy to use https. I managed to update Vaultwarden, which wasn't obvious (to me) on CasaOS. - Select the three dots for the app - Select settings and select "Latest" for the "Tag" - Save then select the three dots again and hit the restart icon
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#21398
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?