Android client app login error: Chain validation failed

Help
1

Hi, I have set up a private Vaultwarden instance using caddy and enable HTTPS through DNS challenge, more specifically using the CloudFlare solution (I own a domain name). I followed this doc.

This is my docker-compose file

version: "3.9"
services:
  vaultwarden:
    container_name: vaultwarden
    image: vaultwarden/server:latest
    restart: always
    environment:
      WEBSOCKET_ENABLED: ${WEBSOCKET_ENABLED}
      SIGNUPS_ALLOWED: ${SIGNUPS_ALLOWED}
      ADMIN_TOKEN: ${ADMIN_TOKEN}
    env_file: .env
    volumes:
      - ./vw-data:/data

  caddy:
    container_name: caddy
    image: caddy:alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    environment:
      DOMAIN: ${DOMAIN}
      EMAIL: ${EMAIL}
      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
    env_file: .env

volumes:
  caddy-data:
    external: true
  caddy-config:

This works really fine. As long as I’m connected to my local network, I can reach my server from web browser clients (official Bitwarden addon).
But from my Android device, if I try to login from the official Bitwarden App, I get an error and the login fails:

Exception message: Chain validation failed

Whereas if I try again from my Android device, but directly from a web browser app, it works.

Have you an idea of the problem ?

1 Like
2

Most certificate providers use intermediate certificates to sign client certificates. This is called a chain. They also most of the time provide these chained certs. You need to configure caddy to used a file which has both your certificate and all the chained certificates into one file which is then can use to serve.

For lets encrypt it is called fullchain.pem for example.

3

Hi, thanks for the explanation, but I don’t know how to configure Caddy to do what you said. There is some doc about that somewhere (I fail to find it) ?

I inspected Caddy container /data directory and under certificates, I see these files

my.domain.com.crt
my.domain.com.json
my.domain.com.key

Note that in my.domain.com.crt file there is a succession of 3 certificate blocks. So it looks like this is already the “full chain”.

4

Caddy should automatically be sending the proper cert chain. The Bitwarden mobile app is built on Xamarin, which apparently uses its own TLS library by default and doesn’t always behave the same as Android. It was having issues with recent Let’s Encrypt changes, so you could try configuring Caddy to use ZeroSSL certs instead.

5

Hi, I tried to configure ZeroSSL but without success. I don’t even know if it possible to use ZeroSSL when using Cloudflare DNS module in Caddy.
In my Caddyfile:

  tls {
    dns cloudflare {$CLOUDFLARE_API_TOKEN}
    ca  https://acme.zerossl.com/v2/DV90 # added this
  }

  # or

  tls email@email.io {
    ca  https://acme.zerossl.com/v2/DV90
  }
  tls {
    dns cloudflare {$CLOUDFLARE_API_TOKEN}
  }

When I try to login from the Andoid app I get the same error.

6 
tls {
    issuer zerossl {
        email {$ACME_EMAIL}                                                                                                
        dns cloudflare {$CLOUDFLARE_API_TOKEN}
    }
}
7

I got the same error again :confused:

8

Hey guys,

I’d like to bump this topic since I’m having the same issue. I run my own PKI, so I am my own certificate authority. There are no third parties in between my CA and the end-device certificates. Most apps are perfectly fine with using the CA’s certificate that I add to Android’s device store, and Windows’s store. @jjlin was probably on the right track about this app ignoring Android’s cert store and substituting its own. It would be nice if the app either accepts Android’s store, or allows us to bypass certificate errors like this one. Is there anything we can do about the app?

Edit: See this issue on the mobile app. This will likely require modifications on the app, and there’s not much the server can do.