Hi, I have set up a private Vaultwarden instance using caddy and enable HTTPS through DNS challenge, more specifically using the CloudFlare solution (I own a domain name). I followed this doc.
This works really fine. As long as I’m connected to my local network, I can reach my server from web browser clients (official Bitwarden addon).
But from my Android device, if I try to login from the official Bitwarden App, I get an error and the login fails:
Exception message: Chain validation failed
Whereas if I try again from my Android device, but directly from a web browser app, it works.
Most certificate providers use intermediate certificates to sign client certificates. This is called a chain. They also most of the time provide these chained certs. You need to configure caddy to used a file which has both your certificate and all the chained certificates into one file which is then can use to serve.
For lets encrypt it is called fullchain.pem for example.
Hi, thanks for the explanation, but I don’t know how to configure Caddy to do what you said. There is some doc about that somewhere (I fail to find it) ?
I inspected Caddy container /data directory and under certificates, I see these files
Caddy should automatically be sending the proper cert chain. The Bitwarden mobile app is built on Xamarin, which apparently uses its own TLS library by default and doesn’t always behave the same as Android. It was having issues with recent Let’s Encrypt changes, so you could try configuring Caddy to use ZeroSSL certs instead.
Hi, I tried to configure ZeroSSL but without success. I don’t even know if it possible to use ZeroSSL when using Cloudflare DNS module in Caddy.
In my Caddyfile:
tls {
dns cloudflare {$CLOUDFLARE_API_TOKEN}
ca https://acme.zerossl.com/v2/DV90 # added this
}
# or
tls email@email.io {
ca https://acme.zerossl.com/v2/DV90
}
tls {
dns cloudflare {$CLOUDFLARE_API_TOKEN}
}
When I try to login from the Andoid app I get the same error.
I’d like to bump this topic since I’m having the same issue. I run my own PKI, so I am my own certificate authority. There are no third parties in between my CA and the end-device certificates. Most apps are perfectly fine with using the CA’s certificate that I add to Android’s device store, and Windows’s store. @jjlin was probably on the right track about this app ignoring Android’s cert store and substituting its own. It would be nice if the app either accepts Android’s store, or allows us to bypass certificate errors like this one. Is there anything we can do about the app?
Edit: See this issue on the mobile app. This will likely require modifications on the app, and there’s not much the server can do.