[support] Vaultwarden (formerly Bitwarden_rs)


Recommended Posts

First of all, great job with this docker, thanks!

 

I'm having troubles trying to fix an issue. My BitWarden server seems to crash after a couple of hours. Tried with the latest and alpine releases, same thing.

 

The container logs shows 'Uptime 6 hours (unhealthy)' but when I click on them, I only see normal logs, with my recent syncs and admin logins.

If I restart the docker, it works 100% fine for a couple of hours. I can run commands in the container console.

BW is not accessible either on LAN or via my reverse proxy, so this doesn't seem to be the problem, it just says connection timed out.

 

Is there any other logs I could check?

Edited by Spiltz
Typos
Link to comment

I'm using Ubuntu and firefox with Bitwarden over port 80 and it has been working fine, that is until the last day or two it appears firefox (v75.0) was auto updated and now it has the same issue as chrome. When I try to login a little red box appears "This browser requires HTTPS to use the web vault. Check the bitward_rs wiki for details on how to enable it"

 

I guess I'm going to watch to watch spaceinvaders video to setup a proxy. grr.

 

Edited by rilles
Link to comment

So I watch space invaders video and a few others and my head was exploding in anger and frustration.  I don't want to expose this to the internet, I don't want a domain and I don't need a real cert, waaay too much fiddling.

 

So scraped the bitwarden_rs docker site and they have a few easier suggestions - the one I used was Caddy 1.x (also a unraid docker)

 

https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples

 

you can't use localhost so make sure you enter your server IP address, and I enabled "tls self_signed"

 

works fine for me now on all browsers.

 

  • Like 1
Link to comment

The docker unexpectedly came back 'Healthy' when I dropped various ports forwarding and my HAProxy reverse proxy in my pfsense router... Strange.

 

I am in the process of moving everything through a letsencrypt container on the unraid server instead, with a proper domain name. Will see if the issue reoccur using this setup.

  • Like 1
Link to comment
3 hours ago, rilles said:

So I watch space invaders video and a few others and my head was exploding in anger and frustration.  I don't want to expose this to the internet, I don't want a domain and I don't need a real cert, waaay too much fiddling.

 

So scraped the bitwarden_rs docker site and they have a few easier suggestions - the one I used was Caddy 1.x (also a unraid docker)

 

https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples

 

you can't use localhost so make sure you enter your server IP address, and I enabled "tls self_signed"

 

works fine for me now on all browsers.

 

 

"tls self_signed" is for testing only and only lasts 7 days.

 

created a 5 year self signed cert in Ubuntu:

openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout caddy-selfsigned.key -out caddy-selfsigned.crt

 

copied it to unraid file share, copy it from the share to /mnt/cache/appdata/caddy

 

start caddy, launch console and edit CaddyFile with vi.   change "tls self_signed" to "tls caddy-selfsigned.key caddy-selfsigned.crt"

 

restart caddy and away you go.

 

I tried some of the ngix dockers but I could not get any of them to work, either due to letsencrypt errors or just to hard and fiddly for an amateur.

 

Link to comment

What an excellent piece of software and an amazing thing to be able to self host and run on our own servers. 
 

I set mine up in no time using spaceinvaderone’s excellent video and have it running through my exisiting letsencrypt reverse proxy. 
 

I was so impressed with this yesterday. I decided to do a full migration from my current password manager and see if I can actually use it real world. 
 

I mean, jeez, I pay Dashlane $50 per year for this functionality and this is just as polished. I was able to setup an iOS app, desktop app on OS X and also browser integration (which I might add is even BETTER than Dashlane for Safari) just as easy as with the paid Dashlane service.  Shame I renewed my yearly Dashlane subscription in Feb. anyway, I guess that’s good JIC this little trial goes awry. I don’t think it will though. 
 

One issue I have though is the security of the admin page. It’s open to the world. Yes I know it’s protected by a long random ssl generated key but I’d much prefer the secure method of accessing it that utilises email OR hide it from being public facing completely. 
 

Does anyone know how to enable the email access method for this RS version OR know how to limit access to the admin link to LAN only!?
 

 

Link to comment
4 minutes ago, danioj said:

Does anyone know how to enable the email access method for this RS version OR know how to limit access to the admin link to LAN only!?
 

 

I haven't proceeded yet, but from what I saw you can use Fail2Ban on both the vault and the admin access page. I'll also look into installing a SSL client auth on the admin page..

 

Edit: Reply below is way better.

Edited by Spiltz
Link to comment
1 hour ago, Roxedus said:

I added the following to my reverse proxy for the admin panel
 


	location /admin {
		return 404;
	}

I only access the panel locally using the direct ip.

Worked like a charm. I think this should be noted somewhere as being "best practice" for new people setting the app up.

  • Like 2
Link to comment
On 4/18/2020 at 8:28 PM, rilles said:

 

"tls self_signed" is for testing only and only lasts 7 days.

 

created a 5 year self signed cert in Ubuntu:

openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout caddy-selfsigned.key -out caddy-selfsigned.crt

 

copied it to unraid file share, copy it from the share to /mnt/cache/appdata/caddy

 

start caddy, launch console and edit CaddyFile with vi.   change "tls self_signed" to "tls caddy-selfsigned.key caddy-selfsigned.crt"

 

restart caddy and away you go.

 

I tried some of the ngix dockers but I could not get any of them to work, either due to letsencrypt errors or just to hard and fiddly for an amateur.

 

rilles could you please post your Caddyfile as I am not 100% sure where to put the "tls caddy-selfsigned.key caddy-selfsigned.crt" part. I have the Certs created and in my /mnt/cache/appdata/caddy.

 

Also how did you manage to save the Caddyfile using vi ? When I amended the Caddyfile with vi I could not work out how to save it lol. Pressing Esc did nothing then any combination of the Alt Key seemed to do nothing much as well.

Link to comment
On 4/24/2020 at 6:31 PM, Ricin said:

rilles could you please post your Caddyfile as I am not 100% sure where to put the "tls caddy-selfsigned.key caddy-selfsigned.crt" part. I have the Certs created and in my /mnt/cache/appdata/caddy.

 

Also how did you manage to save the Caddyfile using vi ? When I amended the Caddyfile with vi I could not work out how to save it lol. Pressing Esc did nothing then any combination of the Alt Key seemed to do nothing much as well.

Assuming you have a cache drive. "/mnt/cache/appdata/caddy/config"  <-- this is the directory to put your config file and certs into.

 

I remember some ancient days when I had to use vi - go to the spot you want to edit and press "i" and then edit

when you are done editing press escape.  press ":" and then "w" to save the file and then ":" and then "q" to exit.

 

root@Tower:/mnt/cache/appdata/caddy/config# v
-rw-r--r-- 1 root   root   693 Apr 18 15:35 Caddyfile
-rw-rw-rw- 1 nobody users 1350 Apr 18 15:16 caddy-selfsigned.crt
-rw-rw-rw- 1 nobody users 1704 Apr 18 15:16 caddy-selfsigned.key

 

here is my copy of the "Caddyfile" config file (192.168.1.243 is the IP of my unraid server)

 

:443 {
  # tls ${SSLCERTIFICATE} ${SSLKEY}
  tls caddy-selfsigned.crt caddy-selfsigned.key
  # or 'tls self_signed' to generate a self-signed certificate

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  gzip

  # The negotiation endpoint is also proxied to Rocket
  proxy /notifications/hub/negotiate 192.168.1.243:8008 {
    transparent
  }

  # Notifications redirected to the websockets server
   proxy /notifications/hub 192.168.1.243:3012 {
    websocket
   }

  # Proxy the Root directory to Rocket
  proxy / 192.168.1.243:8008 {
    transparent
  }
}

Edited by rilles
Link to comment

Can anyone help me get smtp to work with gmail?  I've created an App Password for my gmail account and entered in the generated password into BitwardenRS SMTP Email Settings page.  When i try to send an email i get this error: Error sending SMTP test email LetreErr.  I don't know what else I can try to resolve this issue.  My BitwardenRS container is behind a reverse proxy if that helps.

Link to comment

I'm having some issues setting up smtp on bitwardenrs. I have a dedicated gmail account that I use for another service. I have enabled 2fa and created an app key/password and utilized that within bitwarden, just as I have with my other application (node-red). No matter what I try, it will not send a test email. I thought maybe it was gmail, so I went ahead and created a yahoo account and the result was the same. I just installed the latest version of bitwardenrs for the first time a couple weeks ago and have finished setting it up now. Here is the error I'm receiving.

 

Has anyone else had this experience and if so, what did you do to resolve it?

 

I have tried 587 TLS and 465 without TLS and every combination in between.

 

[CAUSE] Io(
Os {
code: 11,
kind: WouldBlock,
message: "Resource temporarily unavailable",
},
)
[2020-04-30 09:05:48][response][INFO] POST /admin/test/smtp (test_smtp) => 400 Bad Request
[2020-04-30 09:05:53][request][INFO] POST /admin/config/
[2020-04-30 09:05:53][response][INFO] POST /admin/config (post_config) => 200 OK
[2020-04-30 09:05:54][request][INFO] GET /admin
[2020-04-30 09:05:54][response][INFO] GET /admin (admin_page) => 200 OK
[2020-04-30 09:06:00][request][INFO] POST /admin/test/smtp/
[2020-04-30 09:06:01][lettre::smtp][INFO] connection established to 188.125.73.26:465
[2020-04-30 09:06:02][error][ERROR] LetreErr.
[CAUSE] Permanent(
Response {
code: Code {
severity: PermanentNegativeCompletion,
category: Unspecified3,
detail: Five,
},
message: [
"5.7.0 (#AUTH005) Too many bad auth attempts.",
],
},
)
[2020-04-30 09:06:02][response][INFO] POST /admin/test/smtp (test_smtp) => 400 Bad Request

 

Link to comment
8 minutes ago, Otacon said:

I have fixed my problem with SMTP.  Don't forget to save your settings before trying to send a test email. ;)

Yes, I always hit save after inputting new settings and then sending a test email after it has saved. What did you do to fix the problem? Are you using port 465 or 587 and do you have TLS checked or not?

Link to comment

I am at a loss with using the app on WiFi...

 

I am using Ngonx Proxy Manager and can reach bitwarden externally... I can reach BW using IP locally on port 80. But if I try to login using the app it looks for port 443 by default and I cant login if connected to WiFi...

 

How come the docker only uses port 80 and not both? What can I do to fix this...?

Link to comment
20 minutes ago, ceyo14 said:

How come the docker only uses port 80 and not both? What can I do to fix this...?

The container doesnt create a self-signed certificate, so it cant serve https over port 443. Can you use the external address locally?

Edited by Roxedus
Link to comment
12 minutes ago, Roxedus said:

The container doesnt create a self-signed certificate, so it cant serve https over port 443. Can you use the external address locally?

It resolves to BW local IP...

 

If I do nslookup my DNS replies the local IP which only supports HTTP... and app only looks for HTTPS...

 

Externally obviously it works fine. But if I am at home on WiFi its offline only...

Link to comment
9 minutes ago, Roxedus said:

So your domain resolves to bitwardens ip when local? or to your npm instance?

Straight to local. Nslookup bw.mydomain.com returns 192.168.2.15.

 

Tracert to bw.mydomain.com only 192.168.2.15 is shown. Does not go to router or reverse proxy first... So app cant login locally because it expects 443 but docker is only 80...

Link to comment
  • Roxedus changed the title to [support] Vaultwarden (formerly Bitwarden_rs)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.