mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-04-26 09:46:00 +03:00
[GH-ISSUE #610] Server SSL erro on deploy stack #407
Labels
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/vaultwarden#407
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @tiagozacarias on GitHub (Sep 7, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/610
Dear,
I am trying to deploy a bitwardenrs stack with HTTPS and have the following error in the stack logs:
bitwarden_rs_bitwarden.1.acbhzf27v0z@getsemani.tiagoti.com.br | [2019-09-07 00:35:02] [rocket :: config :: error] [ERROR] environment variable ROCKET_TLS = '{certs = "/ ssl / certificate.pem", key = "/ ssl / bitwarden.pem "} 'could not be parsed
My Stack Settings:
version: "3"
services:
bitwarden:
image: bitwardenrs / server: 1.10.0
environment:
- DOMAIN = http: //bitwarden.home.ad.local
- SIGNUPS_ALLOWED = true
- INVITATIONS_ALLOWED = true
- WEBSOCKET_ENABLED = true
- ROCKET_TLS = '{certs = "/ ssl / certificate.pem", key = "/ ssl / bitwarden.pem"}'
- SMTP_HOST = localhost
- SMTP_FROM = bitwarden @ localhost
- SMTP_PORT = 25
- SMTP_SSL = false
- SHOW_PASSWORD_HINT = true
volumes:
- / etc / localtime: / etc / localtime: ro
- / DATA / bitwarden_rs: / data /: rw
- / ssl: / ssl /: rw
deploy:
labels:
- traefik.enable = true
- traefik.web.frontend.rule = Host: bitwarden.ad.home.local
- traefik.web.port = 80
- traefik.hub.frontend.rule = Host: bitwarden.ad.home.local; Path: / notifications / hub
- traefik.hub.port = 3012
- traefik.hub.protocol = ws
- traefik.docker.network = traefik_public
networks:
- traefik_public
networks:
traefik_public:
@Ayitaka commented on GitHub (Sep 7, 2019):
Pretty sure its just a matter of removing the apostrophes:
- ROCKET_TLS='{certs="/ssl/certificate.pem", key="/ssl/bitwarden.pem"}'changed to:
- ROCKET_TLS={certs="/ssl/certificate.pem", key="/ssl/bitwarden.pem"}The example gives the command line format for ROCKET_TLS, which is
-e key='val'But in docker-compose you can use
- key=valformat or thekey: 'val'format for environment settings (edit: but you cant mix the two).@Ayitaka commented on GitHub (Sep 7, 2019):
Its saying it cannot find the files. Your configuration is saying to check /ssl (not /path/to/docker-compose.yml/ssl).
So either make sure your certificates are in the literal directory /ssl or change your configuration to
- ./ssl:/ssl/:rwto indicate that the files are in a directory under the directory where you started docker-compose:
i.e.
/path/to/docker-compose.yml/ssl/with
/path/to/docker-compose.yml/ssl/certificate.pemand
/path/to/docker-compose.yml/ssl/bitwarden.pem(Edit: And apparently the comment I was replying to was deleted but I'll leave this here in case you still need the answer) :)
@tiagozacarias commented on GitHub (Sep 7, 2019):
Giving back,
It went well when deploying was errors in the old replicas of the service swarm, so now I have another problem, I can not establish ssl connection with bitwarden, publish ports 442: 80 on host and get the following SSL error:
This site can’t provide a secure connection 10.0.1.63 sent an invalid response.
ERR_SSL_PROTOCOL_ERRORE
LOGS WEB
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][launch][INFO] Configured for staging.
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][launch_][INFO] address: 0.0.0.0
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][launch_][INFO] port: 80
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][launch_][INFO] log: normal
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][launch_][INFO] workers: 10
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][launch_][INFO] secret key: private-cookies disabled
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][launch_][INFO] limits: forms = 32KiB, json* = 10MiB
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][launch_][INFO] keep-alive: 5s
stack_bitwarden.1.4flg67gevd8q@getsemani.tdomain.com.br | [2019-09-07 11:34:41][launch_][INFO] tls: enabled
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][ws][INFO] Listening for new connections on 0.0.0.0:3012.
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][rocket::fairing::fairings][INFO] Fairings:
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][_][INFO] 1 response: Application Headers
stack_bitwarden.1.4flg67gevd8q@getsemani.domain.com.br | [2019-09-07 11:34:41][launch][INFO] Rocket has launched from https://0.0.0.0:80
The ssl service is running on port 80 through the log, is this correct?
@Ayitaka commented on GitHub (Sep 7, 2019):
Not sure what 442:80 means.... default port for https:// is 443 or:
...in bitwarden service section). But you're connecting to something if youre getting that msg?
According to google, that error means something is (temporarily) wrong with the browser or (permanently) wrong with the certificate.
Try making sure your date+time are set correctly and match up, on your server and on your system, or check your anti-virus to make sure it isnt blocking the site for some reason, or clearing browser data/SSL State in your browser's settings (but this is a drastic last resort) - might help.
Certificates signed with SHA-1 (shouldn't happen anymore anywhere?) can also cause this error.
And apparently many other things can potentially cause that error...
Anyone else have any ideas?
(Edit: Are you trying to connect using a local hostname (bitwarden.local) while your server is using a certificate with a public hostname (bitwarden.example.com), that might also cause it?)
@tiagozacarias commented on GitHub (Sep 7, 2019):
I'm sorry Ayitaka the port actually and 443: 80 which is posted on the host was just an error at the time of writing. I am connecting via Google Chrome and then I get this message.
As for the certificate, may be the problem, I generated as tutorial in the bitwardenrs wiki:
https://github.com/dani-garcia/bitwarden_rs/wiki/Private-CA-and-self-signed-certs-that-work-with-Chrome
Let's take a look at the internal CA created to see the certificate and key consistency for the internal hostname.
Thanks for the help.
Soon I'll be back with news.
@tiagozacarias commented on GitHub (Sep 7, 2019):
Haitaka,
Everything went perfect after I recreated the CA - Private key and certificate and then generated new certificates based on this new CA. However, it was a container-side certificate issue, thanks for clarifying my ideas.