starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-25 17:25:57 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #304] Can't connect to bitwarden vault from IOS app after update to v1.5.0 #164

New issue
Closed
opened 2026-03-03 01:26:12 +03:00 by kerem · 14 comments
kerem commented 2026-03-03 01:26:12 +03:00
Owner
Copy link

Originally created by @ghost on GitHub (Dec 18, 2018).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/304

I can login to web vault from Firefox and Firefox addon but can't from IOS app

[2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError

[2018-12-18][15:08:19][rustls::server::hs][DEBUG] decided upon suite SupportedCipherSuite { suite: TLS13_AES_128_GCM_SHA256, kx: BulkOnly, bulk: AES_128_GCM, hash: SHA256, sign: Anonymous, enc _key_len: 16, fixed_iv_len: 12, explicit_nonce_len: 0 }

Originally created by @ghost on GitHub (Dec 18, 2018). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/304 I can login to web vault from Firefox and Firefox addon but can't from IOS app `[2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:05:25][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError [2018-12-18][15:06:09][rustls::session][WARN] Sending fatal alert DecodeError ` `[2018-12-18][15:08:19][rustls::server::hs][DEBUG] decided upon suite SupportedCipherSuite { suite: TLS13_AES_128_GCM_SHA256, kx: BulkOnly, bulk: AES_128_GCM, hash: SHA256, sign: Anonymous, enc _key_len: 16, fixed_iv_len: 12, explicit_nonce_len: 0 } `
kerem closed this issue 2026-03-03 01:26:12 +03:00
kerem commented 2026-03-03 01:26:13 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Dec 18, 2018):

That's strage, are you using HTTPS? If so, is the certificate a valid one?

<!-- gh-comment-id:448252725 --> @dani-garcia commented on GitHub (Dec 18, 2018): That's strage, are you using HTTPS? If so, is the certificate a valid one?
kerem commented 2026-03-03 01:26:13 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 18, 2018):

Yes I am using https with self-signed cert. Something is wrong with ios because I can't even open web vault in safari

<!-- gh-comment-id:448253570 --> @ghost commented on GitHub (Dec 18, 2018): Yes I am using https with self-signed cert. Something is wrong with ios because I can't even open web vault in safari
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Dec 18, 2018):

Arer you accessing by IP? The iOS app works for me, but I'm using a domain with let's encrypt certificates. Maybe you can manually mark the certificates as trusted or something?

<!-- gh-comment-id:448275477 --> @dani-garcia commented on GitHub (Dec 18, 2018): Arer you accessing by IP? The iOS app works for me, but I'm using a domain with let's encrypt certificates. Maybe you can manually mark the certificates as trusted or something?
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 18, 2018):

I am accessing by server IP in my local network. I am using self signed cert for bw server and I think this cause a problem

<!-- gh-comment-id:448289312 --> @ghost commented on GitHub (Dec 18, 2018): I am accessing by server IP in my local network. I am using self signed cert for bw server and I think this cause a problem
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Dec 18, 2018):

Yeah, that's possible. Did you try without HTTPS to see if that worked?

<!-- gh-comment-id:448312372 --> @dani-garcia commented on GitHub (Dec 18, 2018): Yeah, that's possible. Did you try without HTTPS to see if that worked?
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 18, 2018):

As I remember web vault does not works without https

<!-- gh-comment-id:448323647 --> @ghost commented on GitHub (Dec 18, 2018): As I remember web vault does not works without https
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Dec 18, 2018):

It depends on the clients, on Chrome the crypto API is not available in unsecured sites, but some other clients work fine.

Other than that, if the problem is that iOS won't accept self signed certificates for IPs, then you could configure a dns server so that it routes bitwarden.local or similar to your server and use it from your iOS device.

If on the other end, the problem is that iOS won't accept self signed certificates at all, then there is not much to do other than to get a domain name that you can use let's encrypt from.

<!-- gh-comment-id:448342804 --> @dani-garcia commented on GitHub (Dec 18, 2018): It depends on the clients, on Chrome the crypto API is not available in unsecured sites, but some other clients work fine. Other than that, if the problem is that iOS won't accept self signed certificates for IPs, then you could configure a dns server so that it routes `bitwarden.local` or similar to your server and use it from your iOS device. If on the other end, the problem is that iOS won't accept self signed certificates at all, then there is not much to do other than to get a domain name that you can use let's encrypt from.
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Jan 11, 2019):

Is this still a problem, or can we close it?

As a note, I recently found mkcert to easily make local certificates, they aren't self-signed, but instead use their own certificate autority. Something like that may help with cert issues.

<!-- gh-comment-id:453524733 --> @dani-garcia commented on GitHub (Jan 11, 2019): Is this still a problem, or can we close it? As a note, I recently found [mkcert](https://github.com/FiloSottile/mkcert) to easily make local certificates, they aren't self-signed, but instead use their own certificate autority. Something like that may help with cert issues.
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 11, 2019):

Yes this is still a problem.
I have to use Bitwarden without SSL because of this.

I tried mkcert to generate CA and self signed cert for server but still no success to connect from ios.

I know you are using Bitwarden on iOS with letsencrypt certs, can you deploy new docker container with self signed certs created by mkcert and check connection from Bitwarden ios app and Safari browser?

I bet RUSTLS does not like Safari and vice versa.

<!-- gh-comment-id:453528899 --> @ghost commented on GitHub (Jan 11, 2019): Yes this is still a problem. I have to use Bitwarden without SSL because of this. I tried mkcert to generate CA and self signed cert for server but still no success to connect from ios. I know you are using Bitwarden on iOS with letsencrypt certs, can you deploy new docker container with self signed certs created by mkcert and check connection from Bitwarden ios app and Safari browser? I bet RUSTLS does not like Safari and vice versa.
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Jan 11, 2019):

Okay, I think i got it.

First you need to create the certificate for your IP, but you can't use the IP directly, so you'll need a DNS entry to redirect to your IP.

For example to create the cert in my case, bitwarden is at 192.168.1.50, so:

mkcert bitwarden.local # Redirected with DNS
mkcert 192.168.1.50.xip.io # Using xip.io

This will mention something about using local CA at: , take note of it.

It will also create two files in the current directory, that you'll have to use with Rocket:

ROCKET_ADDRESS=0.0.0.0
ROCKET_PORT=443
ROCKET_TLS={certs="/path/192.168.1.50.xip.io.pem",key="/path/192.168.1.50.xip.io-key.pem"}

Now, in the local CA path, there is a rootCA.pem, you need to send this to your iPhone, I sent it to my iCloud email address.

Open the attachment, and you'll get a Install profile window, click install, put your iPhone password and install it.

Then open the settings app > go to general > Open first one, Info or About >Got to the bottom, open Certificate Trust Settings > Enable your cert

Then enter bitwarden and set the server URL to the same URL passed to mkcert.

With that, I can use the app with HTTPS, and a mkcert certificate.

<!-- gh-comment-id:453539892 --> @dani-garcia commented on GitHub (Jan 11, 2019): Okay, I think i got it. First you need to create the certificate for your IP, but you can't use the IP directly, so you'll need a DNS entry to redirect to your IP. For example to create the cert in my case, bitwarden is at `192.168.1.50`, so: ```sh mkcert bitwarden.local # Redirected with DNS mkcert 192.168.1.50.xip.io # Using xip.io ``` This will mention something about using local CA at: <path>, take note of it. It will also create two files in the current directory, that you'll have to use with Rocket: ``` ROCKET_ADDRESS=0.0.0.0 ROCKET_PORT=443 ROCKET_TLS={certs="/path/192.168.1.50.xip.io.pem",key="/path/192.168.1.50.xip.io-key.pem"} ``` Now, in the local CA path, there is a rootCA.pem, you need to send this to your iPhone, I sent it to my iCloud email address. Open the attachment, and you'll get a `Install profile` window, click install, put your iPhone password and install it. Then open the settings app > go to general > Open first one, Info or About >Got to the bottom, open Certificate Trust Settings > Enable your cert Then enter bitwarden and set the server URL to the same URL passed to mkcert. With that, I can use the app with HTTPS, and a mkcert certificate.
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 11, 2019):

My server is on 192.168.0.19. I use Pihole as dns in my local server. Do you know how to configure Pihole to respond with server ip when bitwarden.local is called?

<!-- gh-comment-id:453541467 --> @ghost commented on GitHub (Jan 11, 2019): My server is on 192.168.0.19. I use Pihole as dns in my local server. Do you know how to configure Pihole to respond with server ip when bitwarden.local is called?
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Jan 11, 2019):

I never used pihole, but maybe this will work?
https://discourse.pi-hole.net/t/howto-using-pi-hole-as-lan-dns-server/533

Edit: Or, if it's acting as a DNS server, maybe modifying piholes /etc/hosts would be enough?

<!-- gh-comment-id:453542408 --> @dani-garcia commented on GitHub (Jan 11, 2019): I never used pihole, but maybe this will work? https://discourse.pi-hole.net/t/howto-using-pi-hole-as-lan-dns-server/533 Edit: Or, if it's acting as a DNS server, maybe modifying piholes `/etc/hosts` would be enough?
kerem commented 2026-03-03 01:26:14 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 11, 2019):

Tried...
I will try: xip.io

<!-- gh-comment-id:453542927 --> @ghost commented on GitHub (Jan 11, 2019): Tried... I will try: xip.io
kerem commented 2026-03-03 01:26:15 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 11, 2019):

Setting local domain in Pihole fixed the problem with certificate on iOS.
Thanks for help

<!-- gh-comment-id:453620308 --> @ghost commented on GitHub (Jan 11, 2019): Setting local domain in Pihole fixed the problem with certificate on iOS. Thanks for help
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#164
No description provided.