[GH-ISSUE #1045] TLS failures using self hosted email server #739

New issue

Closed

opened 2026-03-03 02:02:44 +03:00 by kerem · 6 comments

kerem commented 2026-03-03 02:02:44 +03:00

Owner

Copy link

Originally created by @causalityloop on GitHub (Jul 5, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1045

Subject of the issue

bitwarden cannot use configured email server because the cert received, from the mail server, is not trusted. Adding ability to install respective root/subordinate CA's will allow bitwarden to trust the cert

Your environment

• Bitwarden_rs version: 1.15.1-b34d5482

• Install method: docker compose sourcing image at bitwardenrs/server:latest
• Clients used:
• Reverse proxy and version:
• Version of mysql/postgresql:
• Other relevant information:

Steps to reproduce

Used the following related smpt settings

extra_hosts:
  - "mail.codeloft.tech:<email_server_ip>"
environment:
  - SMTP_HOST=<email_server_ip>
  - SMTP_FROM=<user>
  - SMTP_PORT=565
  - SMTP_SSL=true
  - SMTP_EXPLICIT_TLS=true
  - SMTP_USERNAME=<user>
  - SMTP_PASSWORD=<password>

Expected behaviour

Emails are delivered

Actual behaviour

Emails are not delivered.

Relevant logs

The bitwarden log contains:

bitwardenrs  | [2020-07-05 12:51:08][bitwarden_rs::api::core::accounts][ERROR] Error sending welcome email: SmtpError.
bitwardenrs  | [CAUSE] Io(
bitwardenrs  |     Custom {
bitwardenrs  |         kind: Other,
bitwardenrs  |         error: Failure(
bitwardenrs  |             Ssl(
bitwardenrs  |                 Error {
bitwardenrs  |                     code: ErrorCode(
bitwardenrs  |                         1,
bitwardenrs  |                     ),
bitwardenrs  |                     cause: Some(
bitwardenrs  |                         Ssl(
bitwardenrs  |                             ErrorStack(
bitwardenrs  |                                 [
bitwardenrs  |                                     Error {
bitwardenrs  |                                         code: 337047686,
bitwardenrs  |                                         library: "SSL routines",
bitwardenrs  |                                         function: "tls_process_server_certificate",
bitwardenrs  |                                         reason: "certificate verify failed",
bitwardenrs  |                                         file: "../ssl/statem/statem_clnt.c",
bitwardenrs  |                                         line: 1915,
bitwardenrs  |                                     },
bitwardenrs  |                                 ],
bitwardenrs  |                             ),
bitwardenrs  |                         ),
bitwardenrs  |                     ),
bitwardenrs  |                 },
bitwardenrs  |                 X509VerifyResult {
bitwardenrs  |                     code: 20,
bitwardenrs  |                     error: "unable to get local issuer certificate",
bitwardenrs  |                 },
bitwardenrs  |             ),
bitwardenrs  |         ),
bitwardenrs  |     },
bitwardenrs  | )
bitwardenrs  | [2020-07-05 12:51:08][response][INFO] POST /api/accounts/register (register) => 200 OK

Originally created by @causalityloop on GitHub (Jul 5, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1045 ### Subject of the issue bitwarden cannot use configured email server because the cert received, from the mail server, is not trusted. Adding ability to install respective root/subordinate CA's will allow bitwarden to trust the cert ### Your environment <!-- The version number, obtained from the logs or the admin page --> * Bitwarden_rs version: 1.15.1-b34d5482 <!-- How the server was installed: Docker image / package / built from source --> * Install method: docker compose sourcing image at bitwardenrs/server:latest * Clients used: <!-- if applicable --> * Reverse proxy and version: <!-- if applicable --> * Version of mysql/postgresql: <!-- if applicable --> * Other relevant information: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> Used the following related smpt settings ``` extra_hosts: - "mail.codeloft.tech:<email_server_ip>" environment: - SMTP_HOST=<email_server_ip> - SMTP_FROM=<user> - SMTP_PORT=565 - SMTP_SSL=true - SMTP_EXPLICIT_TLS=true - SMTP_USERNAME=<user> - SMTP_PASSWORD=<password> ``` ### Expected behaviour <!-- Tell us what should happen --> Emails are delivered ### Actual behaviour <!-- Tell us what happens instead --> Emails are not delivered. ### Relevant logs <!-- Share some logfiles, screenshots or output of relevant programs with us. --> The bitwarden log contains: ``` bitwardenrs | [2020-07-05 12:51:08][bitwarden_rs::api::core::accounts][ERROR] Error sending welcome email: SmtpError. bitwardenrs | [CAUSE] Io( bitwardenrs | Custom { bitwardenrs | kind: Other, bitwardenrs | error: Failure( bitwardenrs | Ssl( bitwardenrs | Error { bitwardenrs | code: ErrorCode( bitwardenrs | 1, bitwardenrs | ), bitwardenrs | cause: Some( bitwardenrs | Ssl( bitwardenrs | ErrorStack( bitwardenrs | [ bitwardenrs | Error { bitwardenrs | code: 337047686, bitwardenrs | library: "SSL routines", bitwardenrs | function: "tls_process_server_certificate", bitwardenrs | reason: "certificate verify failed", bitwardenrs | file: "../ssl/statem/statem_clnt.c", bitwardenrs | line: 1915, bitwardenrs | }, bitwardenrs | ], bitwardenrs | ), bitwardenrs | ), bitwardenrs | ), bitwardenrs | }, bitwardenrs | X509VerifyResult { bitwardenrs | code: 20, bitwardenrs | error: "unable to get local issuer certificate", bitwardenrs | }, bitwardenrs | ), bitwardenrs | ), bitwardenrs | }, bitwardenrs | ) bitwardenrs | [2020-07-05 12:51:08][response][INFO] POST /api/accounts/register (register) => 200 OK ```

kerem closed this issue 2026-03-03 02:02:44 +03:00

kerem commented 2026-03-03 02:02:46 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Aug 16, 2020):

You can try to add the CA cert your self by using the startup script @jjlin created: https://github.com/dani-garcia/bitwarden_rs/wiki/Starting-a-Container#customizing-container-startup

Or you can make sure the docker host has the CA installed correctly and do a read-only mount the /etc/ssl/certs folder within docker by using -v /etc/ssl/certs:/etc/ssl/certs:ro this should include all the ca certs your host allows within the docker container.

And you probably need to mount the following also as a read only:
-v /usr/share/ca-certificates/mozilla:/usr/share/ca-certificates/mozilla:ro

<!-- gh-comment-id:674533020 --> @BlackDex commented on GitHub (Aug 16, 2020): You can try to add the CA cert your self by using the startup script @jjlin created: https://github.com/dani-garcia/bitwarden_rs/wiki/Starting-a-Container#customizing-container-startup Or you can make sure the docker host has the CA installed correctly and do a read-only mount the `/etc/ssl/certs` folder within docker by using `-v /etc/ssl/certs:/etc/ssl/certs:ro` this should include all the ca certs your host allows within the docker container. And you probably need to mount the following also as a read only: `-v /usr/share/ca-certificates/mozilla:/usr/share/ca-certificates/mozilla:ro`

kerem commented 2026-03-03 02:02:46 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Oct 9, 2020):

@causalityloop, do you have this issue fixed?
I'm thinking of implementing an option to ignore the certificate when needed in cases like this. If have to wait a bit for the email library to release there new (beta) version which should have this included.

<!-- gh-comment-id:706436262 --> @BlackDex commented on GitHub (Oct 9, 2020): @causalityloop, do you have this issue fixed? I'm thinking of implementing an option to ignore the certificate when needed in cases like this. If have to wait a bit for the email library to release there new (beta) version which should have this included.

kerem commented 2026-03-03 02:02:46 +03:00

Author

Owner

Copy link

@causalityloop commented on GitHub (Oct 10, 2020):

Yes, thank you for reaching out. I will close this. I had a pr against this issue that fixed my specific use case (1046) and @jjlin reached out with his idea (1048). After looking at the code deeper, it looked like I could just place a script in /etc/bitwarden_rs.d/ and it would execute. I use this image in a k8s cluster and this is what I did. I loaded the certs and the startup script as config maps and placed the script in /etc/bitwarden_rs.d/ and I have it import the CA certs on create

kind: ConfigMap
apiVersion: v1
metadata:
  name: startup-script
  namespace: bitwarden
data:
  bitwarden_rs.sh: |-
    #!/usr/bin/env sh
    echo "running startup commands..."
    echo "update-ca-certificates"
    update-ca-certificates

<!-- gh-comment-id:706457617 --> @causalityloop commented on GitHub (Oct 10, 2020): Yes, thank you for reaching out. I will close this. I had a pr against this issue that fixed my specific use case (1046) and @jjlin reached out with his idea (1048). After looking at the code deeper, it looked like I could just place a script in /etc/bitwarden_rs.d/ and it would execute. I use this image in a k8s cluster and this is what I did. I loaded the certs and the startup script as config maps and placed the script in /etc/bitwarden_rs.d/ and I have it import the CA certs on create ``` kind: ConfigMap apiVersion: v1 metadata: name: startup-script namespace: bitwarden data: bitwarden_rs.sh: |- #!/usr/bin/env sh echo "running startup commands..." echo "update-ca-certificates" update-ca-certificates ```

kerem commented 2026-03-03 02:02:46 +03:00

Author

Owner

Copy link

@ch4r13 commented on GitHub (Jan 18, 2024):

@causalityloop, do you have this issue fixed? I'm thinking of implementing an option to ignore the certificate when needed in cases like this. If have to wait a bit for the email library to release there new (beta) version which should have this included.

After almost four years, is there any ability to ignore the certificate ? I'm also in this scenario with SMTP server with self-signed certificate. Thanks @BlackDex

<!-- gh-comment-id:1897965322 --> @ch4r13 commented on GitHub (Jan 18, 2024): > @causalityloop, do you have this issue fixed? I'm thinking of implementing an option to ignore the certificate when needed in cases like this. If have to wait a bit for the email library to release there new (beta) version which should have this included. After almost four years, is there any ability to ignore the certificate ? I'm also in this scenario with SMTP server with self-signed certificate. Thanks @BlackDex

kerem commented 2026-03-03 02:02:46 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Jan 18, 2024):

@TasyDevilsky that is already implemented for about 3 years or so.
See: github.com/dani-garcia/vaultwarden@890e668071/.env.template (L448-L457)

<!-- gh-comment-id:1897978875 --> @BlackDex commented on GitHub (Jan 18, 2024): @TasyDevilsky that is already implemented for about 3 years or so. See: https://github.com/dani-garcia/vaultwarden/blob/890e668071cffe2833834348e19bbef3c061d014/.env.template#L448-L457

kerem commented 2026-03-03 02:02:46 +03:00

Author

Owner

Copy link

@ch4r13 commented on GitHub (Jan 18, 2024):

@TasyDevilsky that is already implemented for about 3 years or so. See:

github.com/dani-garcia/vaultwarden@890e668071/.env.template (L448-L457)

Many thanks ! especially for very fast response !
Thank you ❤️

<!-- gh-comment-id:1898000786 --> @ch4r13 commented on GitHub (Jan 18, 2024): > @TasyDevilsky that is already implemented for about 3 years or so. See: > > https://github.com/dani-garcia/vaultwarden/blob/890e668071cffe2833834348e19bbef3c061d014/.env.template#L448-L457 Many thanks ! especially for very fast response ! Thank you ❤️

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#739

No description provided.