[GH-ISSUE #7190] [SSO] Private certificate doesn't work with RustSSL #35590

Closed
opened 2026-07-13 20:25:32 -05:00 by GiteaMirror · 0 comments
Owner

Originally created by @Timothee-Flechelle on GitHub (May 5, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7190

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.36.0
  • Web-vault version: v2026.4.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: MySQL
  • Database version: 10.11.14-MariaDB-0+deb12u2-log
  • Uses config.json: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "*****://*********************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://************************",
  "domain_origin": "*****://************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "************************",
  "smtp_from_name": "***********",
  "smtp_host": "*******************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://****************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*****************************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "***********",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "openid profile email offline_access",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.3

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Web Vault

Client Version

No response

Steps To Reproduce

  1. Go to 'Log In'
  2. Click on 'Use unique authentification'

Expected Result

Expeted a redirection to sso client (keycloak on my case)

Actual Result

Raise an error "Failed to discover OpenID provider: Request failed"

Logs

[2026-05-05 13:19:31.437][request][INFO] GET /api/config
[2026-05-05 13:19:31.438][response][INFO] (config) GET /api/config => 200 OK
[2026-05-05 13:20:23.619][request][INFO] GET /api/devices/knowndevice
[2026-05-05 13:20:23.622][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2026-05-05 13:20:26.704][request][INFO] POST /api/organizations/domain/sso/verified
[2026-05-05 13:20:26.704][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK
[2026-05-05 13:20:26.713][request][INFO] GET /identity/sso/prevalidate?domainHint=00000000-01DC-01DC-
[2026-05-05 13:20:26.716][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2026-05-05 13:20:26.736][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2026-05-05 13:20:26.821][vaultwarden::sso_client][ERROR] Failed to discover OpenID provider: Request failed
[2026-05-05 13:20:26.821][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 400 Bad Request

Screenshots or Videos

{
"message": "Failed to discover OpenID provider: Request failed",
"validationErrors": {
"": [
"Failed to discover OpenID provider: Request failed"
]
},
"errorModel": {
"message": "Failed to discover OpenID provider: Request failed",
"object": "error"
},
"error": "",
"error_description": "",
"exceptionMessage": null,
"exceptionStackTrace": null,
"innerExceptionMessage": null,
"object": "error"
}

Additional Context

My SSO connection was working on v1.35.3 and earlier versions, but since the migration from native-TLS to rustls-TLS (see image), I have been unable to connect Vaultwarden to Keycloak.

Image

I suspect the issue comes from my certificate, as it is a private certificate, and I have seen similar bug reports. The certificate is properly integrated into the project and works with older versions.

Originally created by @Timothee-Flechelle on GitHub (May 5, 2026). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7190 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.36.0 * Web-vault version: v2026.4.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: MySQL * Database version: 10.11.14-MariaDB-0+deb12u2-log * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "*****://*********************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://************************", "domain_origin": "*****://************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************************", "smtp_from_name": "***********", "smtp_host": "*******************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://****************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*****************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "***********", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": true, "sso_pkce": true, "sso_scopes": "openid profile email offline_access", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.3 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce 1. Go to 'Log In' 2. Click on 'Use unique authentification' ### Expected Result Expeted a redirection to sso client (keycloak on my case) ### Actual Result Raise an error "Failed to discover OpenID provider: Request failed" ### Logs ```text [2026-05-05 13:19:31.437][request][INFO] GET /api/config [2026-05-05 13:19:31.438][response][INFO] (config) GET /api/config => 200 OK [2026-05-05 13:20:23.619][request][INFO] GET /api/devices/knowndevice [2026-05-05 13:20:23.622][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2026-05-05 13:20:26.704][request][INFO] POST /api/organizations/domain/sso/verified [2026-05-05 13:20:26.704][response][INFO] (get_org_domain_sso_verified) POST /api/organizations/domain/sso/verified => 200 OK [2026-05-05 13:20:26.713][request][INFO] GET /identity/sso/prevalidate?domainHint=00000000-01DC-01DC- [2026-05-05 13:20:26.716][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK [2026-05-05 13:20:26.736][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt [2026-05-05 13:20:26.821][vaultwarden::sso_client][ERROR] Failed to discover OpenID provider: Request failed [2026-05-05 13:20:26.821][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 400 Bad Request ``` ### Screenshots or Videos { "message": "Failed to discover OpenID provider: Request failed", "validationErrors": { "": [ "Failed to discover OpenID provider: Request failed" ] }, "errorModel": { "message": "Failed to discover OpenID provider: Request failed", "object": "error" }, "error": "", "error_description": "", "exceptionMessage": null, "exceptionStackTrace": null, "innerExceptionMessage": null, "object": "error" } ### Additional Context My SSO connection was working on v1.35.3 and earlier versions, but since the migration from native-TLS to rustls-TLS (see image), I have been unable to connect Vaultwarden to Keycloak. <img width="770" height="80" alt="Image" src="https://github.com/user-attachments/assets/cbbb2aae-e5aa-4f56-b1f1-0c1c8402b412" /> I suspect the issue comes from my certificate, as it is a private certificate, and I have seen similar bug reports. The certificate is properly integrated into the project and works with older versions.
GiteaMirror added the bug label 2026-07-13 20:25:32 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#35590