Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[support] Vaultwarden (formerly Bitwarden_rs)

Featured Replies

First of all, great job with this docker, thanks!

 

I'm having troubles trying to fix an issue. My BitWarden server seems to crash after a couple of hours. Tried with the latest and alpine releases, same thing.

 

The container logs shows 'Uptime 6 hours (unhealthy)' but when I click on them, I only see normal logs, with my recent syncs and admin logins.

If I restart the docker, it works 100% fine for a couple of hours. I can run commands in the container console.

BW is not accessible either on LAN or via my reverse proxy, so this doesn't seem to be the problem, it just says connection timed out.

 

Is there any other logs I could check?

Edited by Spiltz
Typos

  • Replies 734
  • Views 278.2k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • I added the following to my reverse proxy for the admin panel   location /admin { return 404; } I only access the panel locally using the direct ip.

  • New repository is: vaultwarden/server:latest Change it in docker settings: Stop the container Rename repository to vaultwarden/server Hit Apply and start the container

  • log showing [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure. Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`. See: https://github.com/dani-gar

Posted Images

I'm using Ubuntu and firefox with Bitwarden over port 80 and it has been working fine, that is until the last day or two it appears firefox (v75.0) was auto updated and now it has the same issue as chrome. When I try to login a little red box appears "This browser requires HTTPS to use the web vault. Check the bitward_rs wiki for details on how to enable it"

 

I guess I'm going to watch to watch spaceinvaders video to setup a proxy. grr.

 

Edited by rilles

So I watch space invaders video and a few others and my head was exploding in anger and frustration.  I don't want to expose this to the internet, I don't want a domain and I don't need a real cert, waaay too much fiddling.

 

So scraped the bitwarden_rs docker site and they have a few easier suggestions - the one I used was Caddy 1.x (also a unraid docker)

 

https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples

 

you can't use localhost so make sure you enter your server IP address, and I enabled "tls self_signed"

 

works fine for me now on all browsers.

 

The docker unexpectedly came back 'Healthy' when I dropped various ports forwarding and my HAProxy reverse proxy in my pfsense router... Strange.

 

I am in the process of moving everything through a letsencrypt container on the unraid server instead, with a proper domain name. Will see if the issue reoccur using this setup.

3 hours ago, rilles said:

So I watch space invaders video and a few others and my head was exploding in anger and frustration.  I don't want to expose this to the internet, I don't want a domain and I don't need a real cert, waaay too much fiddling.

 

So scraped the bitwarden_rs docker site and they have a few easier suggestions - the one I used was Caddy 1.x (also a unraid docker)

 

https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples

 

you can't use localhost so make sure you enter your server IP address, and I enabled "tls self_signed"

 

works fine for me now on all browsers.

 

 

"tls self_signed" is for testing only and only lasts 7 days.

 

created a 5 year self signed cert in Ubuntu:

openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout caddy-selfsigned.key -out caddy-selfsigned.crt

 

copied it to unraid file share, copy it from the share to /mnt/cache/appdata/caddy

 

start caddy, launch console and edit CaddyFile with vi.   change "tls self_signed" to "tls caddy-selfsigned.key caddy-selfsigned.crt"

 

restart caddy and away you go.

 

I tried some of the ngix dockers but I could not get any of them to work, either due to letsencrypt errors or just to hard and fiddly for an amateur.

 

What an excellent piece of software and an amazing thing to be able to self host and run on our own servers. 
 

I set mine up in no time using spaceinvaderone’s excellent video and have it running through my exisiting letsencrypt reverse proxy. 
 

I was so impressed with this yesterday. I decided to do a full migration from my current password manager and see if I can actually use it real world. 
 

I mean, jeez, I pay Dashlane $50 per year for this functionality and this is just as polished. I was able to setup an iOS app, desktop app on OS X and also browser integration (which I might add is even BETTER than Dashlane for Safari) just as easy as with the paid Dashlane service.  Shame I renewed my yearly Dashlane subscription in Feb. anyway, I guess that’s good JIC this little trial goes awry. I don’t think it will though. 
 

One issue I have though is the security of the admin page. It’s open to the world. Yes I know it’s protected by a long random ssl generated key but I’d much prefer the secure method of accessing it that utilises email OR hide it from being public facing completely. 
 

Does anyone know how to enable the email access method for this RS version OR know how to limit access to the admin link to LAN only!?
 

 

4 minutes ago, danioj said:

Does anyone know how to enable the email access method for this RS version OR know how to limit access to the admin link to LAN only!?
 

 

I haven't proceeded yet, but from what I saw you can use Fail2Ban on both the vault and the admin access page. I'll also look into installing a SSL client auth on the admin page..

 

Edit: Reply below is way better.

Edited by Spiltz

  • Author

I added the following to my reverse proxy for the admin panel
 

	location /admin {
		return 404;
	}

I only access the panel locally using the direct ip.

52 minutes ago, Roxedus said:

I added the following to my reverse proxy for the admin panel
 


	location /admin {
		return 404;
	}

I only access the panel locally using the direct ip.

Sweet, thank you!!!

1 hour ago, Roxedus said:

I added the following to my reverse proxy for the admin panel
 


	location /admin {
		return 404;
	}

I only access the panel locally using the direct ip.

Worked like a charm. I think this should be noted somewhere as being "best practice" for new people setting the app up.

On 4/18/2020 at 8:28 PM, rilles said:

 

"tls self_signed" is for testing only and only lasts 7 days.

 

created a 5 year self signed cert in Ubuntu:

openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout caddy-selfsigned.key -out caddy-selfsigned.crt

 

copied it to unraid file share, copy it from the share to /mnt/cache/appdata/caddy

 

start caddy, launch console and edit CaddyFile with vi.   change "tls self_signed" to "tls caddy-selfsigned.key caddy-selfsigned.crt"

 

restart caddy and away you go.

 

I tried some of the ngix dockers but I could not get any of them to work, either due to letsencrypt errors or just to hard and fiddly for an amateur.

 

rilles could you please post your Caddyfile as I am not 100% sure where to put the "tls caddy-selfsigned.key caddy-selfsigned.crt" part. I have the Certs created and in my /mnt/cache/appdata/caddy.

 

Also how did you manage to save the Caddyfile using vi ? When I amended the Caddyfile with vi I could not work out how to save it lol. Pressing Esc did nothing then any combination of the Alt Key seemed to do nothing much as well.

On 4/24/2020 at 6:31 PM, Ricin said:

rilles could you please post your Caddyfile as I am not 100% sure where to put the "tls caddy-selfsigned.key caddy-selfsigned.crt" part. I have the Certs created and in my /mnt/cache/appdata/caddy.

 

Also how did you manage to save the Caddyfile using vi ? When I amended the Caddyfile with vi I could not work out how to save it lol. Pressing Esc did nothing then any combination of the Alt Key seemed to do nothing much as well.

Assuming you have a cache drive. "/mnt/cache/appdata/caddy/config"  <-- this is the directory to put your config file and certs into.

 

I remember some ancient days when I had to use vi - go to the spot you want to edit and press "i" and then edit

when you are done editing press escape.  press ":" and then "w" to save the file and then ":" and then "q" to exit.

 

root@Tower:/mnt/cache/appdata/caddy/config# v
-rw-r--r-- 1 root   root   693 Apr 18 15:35 Caddyfile
-rw-rw-rw- 1 nobody users 1350 Apr 18 15:16 caddy-selfsigned.crt
-rw-rw-rw- 1 nobody users 1704 Apr 18 15:16 caddy-selfsigned.key

 

here is my copy of the "Caddyfile" config file (192.168.1.243 is the IP of my unraid server)

 

:443 {
  # tls ${SSLCERTIFICATE} ${SSLKEY}
  tls caddy-selfsigned.crt caddy-selfsigned.key
  # or 'tls self_signed' to generate a self-signed certificate

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  gzip

  # The negotiation endpoint is also proxied to Rocket
  proxy /notifications/hub/negotiate 192.168.1.243:8008 {
    transparent
  }

  # Notifications redirected to the websockets server
   proxy /notifications/hub 192.168.1.243:3012 {
    websocket
   }

  # Proxy the Root directory to Rocket
  proxy / 192.168.1.243:8008 {
    transparent
  }
}

Edited by rilles

Thank you for that :)

 

Will give it a go if I cant get Letsencrypt working. Spent most of the day getting that very close just keep getting error 521 from cloudflare. Tomorrows another day will have a look when more awake.

Can anyone help me get smtp to work with gmail?  I've created an App Password for my gmail account and entered in the generated password into BitwardenRS SMTP Email Settings page.  When i try to send an email i get this error: Error sending SMTP test email LetreErr.  I don't know what else I can try to resolve this issue.  My BitwardenRS container is behind a reverse proxy if that helps.

Thank you rilles worked perfect :)

I'm having some issues setting up smtp on bitwardenrs. I have a dedicated gmail account that I use for another service. I have enabled 2fa and created an app key/password and utilized that within bitwarden, just as I have with my other application (node-red). No matter what I try, it will not send a test email. I thought maybe it was gmail, so I went ahead and created a yahoo account and the result was the same. I just installed the latest version of bitwardenrs for the first time a couple weeks ago and have finished setting it up now. Here is the error I'm receiving.

 

Has anyone else had this experience and if so, what did you do to resolve it?

 

I have tried 587 TLS and 465 without TLS and every combination in between.

 

[CAUSE] Io(
Os {
code: 11,
kind: WouldBlock,
message: "Resource temporarily unavailable",
},
)
[2020-04-30 09:05:48][response][INFO] POST /admin/test/smtp (test_smtp) => 400 Bad Request
[2020-04-30 09:05:53][request][INFO] POST /admin/config/
[2020-04-30 09:05:53][response][INFO] POST /admin/config (post_config) => 200 OK
[2020-04-30 09:05:54][request][INFO] GET /admin
[2020-04-30 09:05:54][response][INFO] GET /admin (admin_page) => 200 OK
[2020-04-30 09:06:00][request][INFO] POST /admin/test/smtp/
[2020-04-30 09:06:01][lettre::smtp][INFO] connection established to 188.125.73.26:465
[2020-04-30 09:06:02][error][ERROR] LetreErr.
[CAUSE] Permanent(
Response {
code: Code {
severity: PermanentNegativeCompletion,
category: Unspecified3,
detail: Five,
},
message: [
"5.7.0 (#AUTH005) Too many bad auth attempts.",
],
},
)
[2020-04-30 09:06:02][response][INFO] POST /admin/test/smtp (test_smtp) => 400 Bad Request

 

I have fixed my problem with SMTP.  Don't forget to save your settings before trying to send a test email. ;)

8 minutes ago, Otacon said:

I have fixed my problem with SMTP.  Don't forget to save your settings before trying to send a test email. ;)

Yes, I always hit save after inputting new settings and then sending a test email after it has saved. What did you do to fix the problem? Are you using port 465 or 587 and do you have TLS checked or not?

  • Author

This is the settings I use, this account does not have 2FA enabled. 

 

I am at a loss with using the app on WiFi...

 

I am using Ngonx Proxy Manager and can reach bitwarden externally... I can reach BW using IP locally on port 80. But if I try to login using the app it looks for port 443 by default and I cant login if connected to WiFi...

 

How come the docker only uses port 80 and not both? What can I do to fix this...?

  • Author
20 minutes ago, ceyo14 said:

How come the docker only uses port 80 and not both? What can I do to fix this...?

The container doesnt create a self-signed certificate, so it cant serve https over port 443. Can you use the external address locally?

Edited by Roxedus

12 minutes ago, Roxedus said:

The container doesnt create a self-signed certificate, so it cant serve https over port 443. Can you use the external address locally?

It resolves to BW local IP...

 

If I do nslookup my DNS replies the local IP which only supports HTTP... and app only looks for HTTPS...

 

Externally obviously it works fine. But if I am at home on WiFi its offline only...

  • Author

So your domain resolves to bitwardens ip when local? or to your npm instance?

9 minutes ago, Roxedus said:

So your domain resolves to bitwardens ip when local? or to your npm instance?

Straight to local. Nslookup bw.mydomain.com returns 192.168.2.15.

 

Tracert to bw.mydomain.com only 192.168.2.15 is shown. Does not go to router or reverse proxy first... So app cant login locally because it expects 443 but docker is only 80...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.