[GH-ISSUE #228] Can't confirm users

kerem commented

2026-03-03 01:25:01 +03:00

Owner

Originally created by @Toucan-Sam on GitHub (Oct 21, 2018).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/228

Hey guys,

Been using Bitwarden hosted as a solution for a little while and love it, so this project is really cool.

I've recently pulled latest which appears as Bitwarden 2.4.0 and can't seem to confirm users into organizations. I've spun up the image with my own pre-configured docker-compose file and am using NGINX as a reverse proxy for HTTPS.

As soon as I create an organization, I see the [error: cannot decrypt] message on the left in the menus. Which I thought was strange considering I created the organization and am the Owner. No worries. Will invite a second user and make them owner and then maybe they need to confirm me? Not so much.

After inviting a user they are "Accepted" but when I click confirm nothing happens and an error prints in the console.
ERROR Error: Uncaught (in promise): Error: Could not complete the operation due to error 8070000b. Error: Could not complete the operation due to error 8070000b. at r.sent (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2362743) at Anonymous function (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2369007) at Anonymous function (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2363621) at Anonymous function (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2362934) at i (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2362518) at t.prototype.invoke (https://<redacted>/app/polyfills.c6a35a42e5e66d7adeea.js:16:6904) at onInvoke (https://<redacted>/app/vendor.c6a35a42e5e66d7adeea.js:200:2035) at t.prototype.invoke (https://<redacted>/app/polyfills.c6a35a42e5e66d7adeea.js:16:6904) at e.prototype.run (https://<redacted>/app/polyfills.c6a35a42e5e66d7adeea.js:16:2145) at Anonymous function (https://<redacted>/app/polyfills.c6a35a42e5e66d7adeea.js:16:13473)

I've tried this in multiple browsers with and without plugins enabled and they all seem to throw the same message.

Am I missing something?

Edit: Adding items to my own account seems to work just fine. If I try to share them with the organization I created I see the same [error: cannot decrypt] after choosing an organization.

Originally created by @Toucan-Sam on GitHub (Oct 21, 2018). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/228 Hey guys, Been using Bitwarden hosted as a solution for a little while and love it, so this project is really cool. I've recently pulled `latest` which appears as Bitwarden 2.4.0 and can't seem to confirm users into organizations. I've spun up the image with my own pre-configured docker-compose file and am using NGINX as a reverse proxy for HTTPS. As soon as I create an organization, I see the `[error: cannot decrypt]` message on the left in the menus. Which I thought was strange considering I created the organization and am the Owner. No worries. Will invite a second user and make them owner and then maybe they need to confirm me? Not so much. After inviting a user they are "Accepted" but when I click confirm nothing happens and an error prints in the console. `ERROR Error: Uncaught (in promise): Error: Could not complete the operation due to error 8070000b. Error: Could not complete the operation due to error 8070000b. at r.sent (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2362743) at Anonymous function (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2369007) at Anonymous function (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2363621) at Anonymous function (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2362934) at i (https://<redacted>/app/main.c6a35a42e5e66d7adeea.js:1:2362518) at t.prototype.invoke (https://<redacted>/app/polyfills.c6a35a42e5e66d7adeea.js:16:6904) at onInvoke (https://<redacted>/app/vendor.c6a35a42e5e66d7adeea.js:200:2035) at t.prototype.invoke (https://<redacted>/app/polyfills.c6a35a42e5e66d7adeea.js:16:6904) at e.prototype.run (https://<redacted>/app/polyfills.c6a35a42e5e66d7adeea.js:16:2145) at Anonymous function (https://<redacted>/app/polyfills.c6a35a42e5e66d7adeea.js:16:13473)` I've tried this in multiple browsers with and without plugins enabled and they all seem to throw the same message. Am I missing something? Edit: Adding items to my own account seems to work just fine. If I try to share them with the organization I created I see the same `[error: cannot decrypt]` after choosing an organization.

kerem

2026-03-03 01:25:01 +03:00

closed this issue
added the
troubleshooting
label

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@mprasil commented on GitHub (Oct 21, 2018):

Hi, any errors in the bitwarden_rs logs? Do you use websockets sync?

@mprasil commented on GitHub (Oct 21, 2018): Hi, any errors in the bitwarden_rs logs? Do you use websockets sync?

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@Toucan-Sam commented on GitHub (Oct 21, 2018):

Logs look like this... (If there are different ones you'd prefer, just let me know which ones you want instead :)

Because formatting: pastebin link
Edit 2: This is unedited. Including the bits in <> brackets.

And my NGINX config looks like this.

Edit: I have not explicitly defined websockets in my docker-compose file despite forwarding the ports via NGINX. I have however opened the required ports in docker.

    ports:
     - "3020:80"
     - "3012:3012"

@Toucan-Sam commented on GitHub (Oct 21, 2018): Logs look like this... (If there are different ones you'd prefer, just let me know which ones you want instead :) Because formatting: [pastebin link](https://pastebin.com/ravQ439x) Edit 2: This is unedited. Including the bits in <> brackets. And my NGINX config [looks like this](https://pastebin.com/DUzYdC61). Edit: I have not explicitly defined websockets in my docker-compose file despite forwarding the ports via NGINX. I have however opened the required ports in docker. ``` ports: - "3020:80" - "3012:3012" ```

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@Toucan-Sam commented on GitHub (Oct 24, 2018):

The Chrome console has an error message when loading pages as well.

Error: Failed to start the connection: Error: Unable to initialize any of the available transports. e.log @ Utils.js:190

I'm assuming this has something to do with my websocket configuration so am continuing to troubleshoot.

@Toucan-Sam commented on GitHub (Oct 24, 2018): The Chrome console has an error message when loading pages as well. `Error: Failed to start the connection: Error: Unable to initialize any of the available transports. e.log @ Utils.js:190` I'm assuming this has something to do with my websocket configuration so am continuing to troubleshoot.

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@mprasil commented on GitHub (Oct 24, 2018):

The Failed to add device to user message is strange. I wouldn't expect that to fail really. It fails to save DB record here which is weird. I've noticed that in my logs as well, so I guess this is not your problem here, but maybe something worth looking into.

Do you have WebSockets enabled via the WEBSOCKET_ENABLED variable?

@mprasil commented on GitHub (Oct 24, 2018): The `Failed to add device to user` message is strange. I wouldn't expect that to fail really. It fails to save DB record [here](https://github.com/dani-garcia/bitwarden_rs/blob/faec050a6d241d820a2cf11dff7815ddf613cb25/src/db/models/device.rs#L115) which is weird. I've noticed that in my logs as well, so I guess this is not your problem here, but maybe something worth looking into. Do you have WebSockets enabled via the `WEBSOCKET_ENABLED` variable?

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@Toucan-Sam commented on GitHub (Oct 25, 2018):

Well, that's mildly comforting if not unfortunate. Hah.

RE: WEBSOCKET_ENABLED the answer is... no. I had set an address, and a port, but not actually enabled it. Websockets are working as expected now and can be seen in the console.

With that being a thing, I deleted the image, the container, and all associated databases/files to start fresh and rebuilt.

I created an account, logged in, created an organization and get the same [error: cannot decrypt] message on the left.

Fine. I didn't realize organizations could have multiple collections so I went to create a new one and see if maybe it's just a bug. When I click "+ New Collection" I get ERROR Error: Uncaught (in promise): OperationError.

Ok. Well, let's try anyway...

ERROR Error: Uncaught (in promise): Error: No encryption key for this organization.
Error: No encryption key for this organization.

So in summary, it's still not working, but that's a different message than I've seen before.

Did I skip a step somewhere? Do I need to do that manually?

Edit: As an additional note, I'm using the SERVER_ADMIN_EMAIL= account for all of this testing. Though it didn't seem to make a difference if a I created and used a different user.

@Toucan-Sam commented on GitHub (Oct 25, 2018): Well, that's mildly comforting if not unfortunate. Hah. RE: `WEBSOCKET_ENABLED` the answer is... no. I had set an address, and a port, but not actually enabled it. Websockets are working as expected now and can be seen in the console. With that being a thing, I deleted the image, the container, and all associated databases/files to start fresh and rebuilt. I created an account, logged in, created an organization and get the same `[error: cannot decrypt]` message on the left. Fine. I didn't realize organizations could have multiple collections so I went to create a new one and see if maybe it's just a bug. When I click "+ New Collection" I get `ERROR Error: Uncaught (in promise): OperationError`. Ok. Well, let's try anyway... ``` ERROR Error: Uncaught (in promise): Error: No encryption key for this organization. Error: No encryption key for this organization. ``` So in summary, it's still not working, but that's a different message than I've seen before. Did I skip a step somewhere? Do I need to do that manually? Edit: As an additional note, I'm using the `SERVER_ADMIN_EMAIL=` account for all of this testing. Though it didn't seem to make a difference if a I created and used a different user.

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@mprasil commented on GitHub (Oct 25, 2018):

@Toucan-Sam definitely don't use SERVER_ADMIN_EMAIL account for anything else than server administration. That account is barely working enough to give you the admin functionality because we need to send this half-complete organization object to Vault to simulate organization. You also shouldn't use this organization for anything else other than managing users. If you try to create Collection or add a key, it will be broken/lost. See documentation here. It's purely virtual organization and most things won't work there.

To create a proper organization, under your regular account (not the admin one!) create regular organization. That should work.

@mprasil commented on GitHub (Oct 25, 2018): @Toucan-Sam definitely don't use `SERVER_ADMIN_EMAIL` account for anything else than server administration. That account is barely working enough to give you the admin functionality because we need to send this half-complete organization object to Vault to simulate organization. You also shouldn't use this organization for anything else other than managing users. If you try to create Collection or add a key, it will be broken/lost. See [documentation here](https://github.com/dani-garcia/bitwarden_rs#configure-server-administrator). It's purely virtual organization and most things won't work there. To create a proper organization, under your regular account (not the admin one!) create regular organization. That should work.

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@Toucan-Sam commented on GitHub (Oct 25, 2018):

SO!

While I was never sharing or managing anything with the SERVER_ADMIN_EMAIL via the bitwarden_rs virtual organization...

When I comment out the SERVER_ADMIN_EMAIL and spin up a new container... magically it works as expected.

Seems like there is a bug in the latest version if the SERVER_ADMIN_EMAIL does... anything... or is even configured. Previously I'd used that account, but I'd also created a different account and tried creating organizations and still had the same problem.

@Toucan-Sam commented on GitHub (Oct 25, 2018): SO! While I was never sharing or managing anything with the `SERVER_ADMIN_EMAIL` via the bitwarden_rs virtual organization... When I comment out the `SERVER_ADMIN_EMAIL` and spin up a new container... magically it works as expected. Seems like there is a bug in the latest version if the `SERVER_ADMIN_EMAIL` does... anything... or is even configured. Previously I'd used that account, but I'd also created a different account and tried creating organizations and still had the same problem.

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@mprasil commented on GitHub (Oct 25, 2018):

That's strange indeed. Can you provide steps to reproduce the breakage while using non-admin account?

@mprasil commented on GitHub (Oct 25, 2018): That's strange indeed. Can you provide steps to reproduce the breakage while using non-admin account?

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@Toucan-Sam commented on GitHub (Oct 25, 2018):

Will document better tomorrow (bed time for me!).

Roughly so I don't forget, scenarios I've tested:

Spin up container with SERVER_ADMIN_EMAIL defined == All accounts are broken. (Fresh data)
Spin up container without SERVER_ADMIN_EMAIL defined == works as expected. (Fresh data)
Spin up container without SERVER_ADMIN_EMAIL defined, delete container, define SERVER_ADMIN_EMAIL (different to primary user), recreate container == works as expected (Persistent data)

Not tested:
1 Spin up container without SERVER_ADMIN_EMAIL defined, delete container, define SERVER_ADMIN_EMAIL (same as primary user), recreate container == ??? (Persistent data)

Before deleting containers with persistent data obviously there needs to be an item in the sqlite database.

On a completely separate note: is it expected behavior to only be allowed to share an item with a single organization? IE, I want to share Site-A with my 'Family' org so my Mrs and her parents can use it. However, I also want to share Site-A with my best friend and their partner, but I do not want to include them in the 'Family' org so they can't see Site-B and Site-C. Otherwise I have to create some weird overlapping organizations.

@Toucan-Sam commented on GitHub (Oct 25, 2018): Will document better tomorrow (bed time for me!). Roughly so I don't forget, scenarios I've tested: 1. Spin up container with `SERVER_ADMIN_EMAIL` defined == All accounts are broken. (Fresh data) 2. Spin up container without `SERVER_ADMIN_EMAIL` defined == works as expected. (Fresh data) 3. Spin up container without `SERVER_ADMIN_EMAIL` defined, delete container, define `SERVER_ADMIN_EMAIL` (different to primary user), recreate container == works as expected (Persistent data) Not tested: 1 Spin up container without `SERVER_ADMIN_EMAIL` defined, delete container, define `SERVER_ADMIN_EMAIL` (same as primary user), recreate container == ??? (Persistent data) Before deleting containers with persistent data obviously there needs to be an item in the sqlite database. On a completely separate note: is it expected behavior to only be allowed to share an item with a single organization? IE, I want to share Site-A with my 'Family' org so my Mrs and her parents can use it. However, I also want to share Site-A with my best friend and their partner, but I do not want to include them in the 'Family' org so they can't see Site-B and Site-C. Otherwise I have to create some weird overlapping organizations.

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@mprasil commented on GitHub (Oct 25, 2018):

Thanks for that, I'll try to have a look at this, but it's good to know it works with persistent data as that would be majority of cases hopefully.

To answer your question, the "sharing" is kinda bad name for the operation. (and I believe there's upstream issue reported to change it to something more descriptive) Sharing actually moves the password to the organization, so you no longer own it directly. So you can't share it multiple times, because you don't own it after the first time.

@mprasil commented on GitHub (Oct 25, 2018): Thanks for that, I'll try to have a look at this, but it's good to know it works with persistent data as that would be majority of cases hopefully. To answer your question, the "sharing" is kinda bad name for the operation. (and I believe there's upstream issue reported to change it to something more descriptive) Sharing actually moves the password to the organization, so you no longer own it directly. So you can't share it multiple times, because you don't own it after the first time.

kerem commented

2026-03-03 01:25:03 +03:00

Author

Owner

@mprasil commented on GitHub (Oct 25, 2018):

@Toucan-Sam I tried to reproduce the issue as described in your first point, but I can't. 😕

Here's what I did:

docker run -ti --rm -p 80:80 -e SERVER_ADMIN_EMAIL=some@some.org mprasil/bitwarden

Then I went to Vault and created new account test@test.test (notice, that it's different than the admin) and I could use that account normally. I've created passwords, Organizations, shared the stuff with org - all working fine.

Then I created account for some@some.org (admin account) and logged in, I could see the bitwarden_rs Organization there and I could manage users. I didn't create any ciphers or anything there, I didn't create any organizations either. (you are NOT supposed to do that)

Then I logged back to test@test.test and everything there works as before. I have my created organization, I have my shared cipher, everything is accessible.

@mprasil commented on GitHub (Oct 25, 2018): @Toucan-Sam I tried to reproduce the issue as described in your first point, but I can't. :confused: Here's what I did: ```bash docker run -ti --rm -p 80:80 -e SERVER_ADMIN_EMAIL=some@some.org mprasil/bitwarden ``` Then I went to Vault and created new account `test@test.test` (notice, that it's different than the admin) and I could use that account normally. I've created passwords, Organizations, shared the stuff with org - all working fine. Then I created account for `some@some.org` (admin account) and logged in, I could see the `bitwarden_rs` Organization there and I could manage users. I didn't create any ciphers or anything there, I didn't create any organizations either. (you are NOT supposed to do that) Then I logged back to `test@test.test` and everything there works as before. I have my created organization, I have my shared cipher, everything is accessible.

kerem commented

2026-03-03 01:25:04 +03:00

Author

Owner

@mprasil commented on GitHub (Nov 15, 2018):

@Toucan-Sam, is this still an issue? As far as I can tell this was due to the SERVER_ADMIN_EMAIL being used with an account that's also used for regular stuff. We've since added a more visible warning to discourage people from doing that. 😅

Also I was now re-reading your separate question there about sharing some stuff with family and friends and I think you can solve your problem with collections. You just give your family access to family-only collection, your friends to friends-only collection and give them both access to some shared collection.

@mprasil commented on GitHub (Nov 15, 2018): @Toucan-Sam, is this still an issue? As far as I can tell this was due to the `SERVER_ADMIN_EMAIL` being used with an account that's also used for regular stuff. We've since added a more visible warning to discourage people from doing that. :sweat_smile: Also I was now re-reading your separate question there about sharing some stuff with family and friends and I think you can solve your problem with collections. You just give your family access to family-only collection, your friends to friends-only collection and give them both access to some shared collection.

kerem commented

2026-03-03 01:25:04 +03:00

Author

Owner

@dani-garcia commented on GitHub (Dec 13, 2018):

This hasn't had activity in some time, so I'm closing it now.
If this is still an issue, please reopen it.

@dani-garcia commented on GitHub (Dec 13, 2018): This hasn't had activity in some time, so I'm closing it now. If this is still an issue, please reopen it.

Rows
Columns

[GH-ISSUE #228] Can't confirm users #113